VM Escape Earns Hackers $105K at Pwn2Own

Hackers pulled off a VM escape and took down Adobe Flash, Microsoft Windows and Edge, Apple Safari and macOS, and Mozilla Firefox at Pwn2Own 2017.

Hackers managed to take down Microsoft Edge and escape a virtual machine to boot on the third day of Pwn2Own early Friday. Members from Qihoo’s 360 Security Team carried out the VM exploit, earning the group $105,000, by far the highest amount awarded to a group at the hacking challenge this week.

Led by team leader Zheng Wenbin, a/k/a mj0011, the group used a heap overflow in Microsoft Edge, a type confusion bug in the Windows kernel, and an uninitialized buffer in VMware for a complete virtual machine escape.

This is the second year that entrants have been given the opportunity to exploit a VMware Workstation virtual machine. After no one attempted targeting it last year, Pwn2Own upped the ante this year by raising the award for an escape from $75,000 to $100,000.

On the second day of Pwn2Own, no product was immune; hackers took down Adobe Flash, Microsoft Windows and Edge, Apple Safari and macOS, and Mozilla Firefox.

Apple products were targeted early and often on Thursday as part of the annual competition held alongside the CanSecWest conference in Vancouver.

Hackers from two groups were able to elevate privileges on macOS right off the bat. 360 Security used an info leak and a race condition in the kernel to do so, while Chaitin Security’s Research Lab used an info leak and an out of bounds bug in the operating system’s kernel.

Chaitin, a newcomer to the competition this year, had chained six Safari bugs together the day prior to achieve root access on macOS. While the macOS exploits earned both groups $10,000 apiece, 360 Security came back and exploited Safari through an integer overflow, then escalated to root through a macOS kernel use-after-free, earning them an additional $35,000.

Two other teams were scheduled to exploit bugs in macOS; one decided to withdraw its attempt, the other was disqualified because the bugs they were planning on using had previously been disclosed to Apple.

The attacks against Flash came a day after hackers took down another Adobe product, Reader. Hackers with Tencent Security and Qihoo 360 poked holes in the software early Wednesday to earn $75,000 collectively.

360 Security team exploited a use-after-free bug, two Windows kernel info leaks, and an uninitialized Windows kernel buffer to elevate Flash to SYSTEM-level access to start out the day. Tencent meanwhile used a use-after-free bug against Flash, and then escalated to SYSTEM via another use-after-free in the Windows kernel. Both groups earned $40,000 apiece for their work.

Like Wednesday, Microsoft’s Edge browser was a popular target on Thursday. Another Tencent Security group, Team Lance, managed to exploit a use-after-free in Chakra core, then elevate their privilege to SYSTEM through another use-after-free in the kernel.

Another Tencent Security team, Team Sniper, comprised of Keen Lab and PC Manager researchers, also owned the browser through a use-after-free in Chakra. Like Team Lance, the group was able to escalate to SYSTEM privileges after through another use-after-free in the Windows kernel. Both Tencent teams pulled in $55K apiece for their exploits.

Edge was a popular punching bag–Tencent’s Team Ether earned $80K on Wednesday for escaping the browser’s sandbox–but Windows had its share of exploits too. 360 Security exploited the operating system with an out-of-bounds bug in the kernel while Tencent’s Team Sniper elevated privileges in the OS via an integer overflow in the kernel.

As far as browser hacks go, the only news outside of the Edge exploits was that one group, Chaitin, managed to take down Firefox. The group used an integer overflow and then escalated privileges through an initialized buffer in the Windows kernel, an exploit that earned them $30K.

Google’s Chrome has emerged in one piece – the one team that targeted the browser Wednesday couldn’t get their exploit chain working in the allotted timeframe.

There are only three exploits scheduled for today, the last day of the hacking challenge.

360 Security has already succeeded at the SYSTEM-level escalation exploit it planned to pair with a virtual machine escape.

One entrant, Richard Zhu a/k/a fluorescence, will target Edge with a SYSTEM-level escalation while another, Tencent Security’s Team Sniper also plans to target VMWare Workstation.

While there aren’t many attempts scheduled, there could still be a good amount of money on the line.

If Tencent Security’s Team Sniper, the group targeting the second VMWare exploit, manages to pull off their exploit, the group will become the second to earn $100,000.

Suggested articles