Security researchers who participated in the Pwn2Own hacking contest this week demonstrated remote code execution exploits against the top four browsers, and also hacked Adobe Reader and Flash Player plug-ins. The second and final day of Pwn2Own 2015 saw successful exploits by both entrants against four products, with each going after multiple targets and collecting a total of $235,000.
This brings the two-day payout total to $552,500, not including the value of the laptops, ZDI points, and other prizes given to winning researchers..
On Thursday, a researcher who uses the hacker handle ilxu1a took down Mozilla Firefox with an out-of-bounds read/write vulnerability leading to medium-integrity code execution. He reports he found the bug through static analysis, which is impressive. ilxu1a received $15,000 USD for the bug.
Next, JungHoon Lee (lokihardt) demonstrated an exploit that affects both the stable and beta versions of Google Chrome. He leveraged a buffer overflow race condition in Chrome, then used an info leak and race condition in two Windows kernel drivers to get SYSTEM access. With all of this, lokihardt managed to get the single biggest payout of the competition, not to mention the single biggest payout in Pwn2Own history: $75,000 USD for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM, and another $10,000 from Google for hitting the beta version for a grand total of $110,000. To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration.
For his final act of the competition, JungHoon Lee (lokihardt) took out Apple Safari using a use-after-free (UAF) vulnerability in an uninitialized stack pointer in the browser and bypassed the sandbox for code execution. That netted him another $50,000 USD and brought his daily total to $225,000.
The final entrant in Pwn2Own 2015, ilxu1a, attempted to exploit Google Chrome, but ran out of time before he could get his code working.
As with every Pwn2Own, all vulnerabilities were disclosed to their respective vendors and each vendor is working to fix these bugs through their own processes.
The final numbers for Pwn2Own 2015 are impressive:
- 5 bugs in the Windows operating system
- 4 bugs in Internet Explorer 11
- 3 bugs in Mozilla Firefox
- 3 bugs in Adobe Reader
- 3 bugs in Adobe Flash
- 2 bugs in Apple Safari
- 1 bug in Google Chrome
- $442,500 USD bounty paid out to researchers
The Pwn2Own contest takes place every year at the CanSecWest security conference in Vancouver, Canada, and is sponsored by Hewlett-Packard's Zero Day Initiative program.
During day 1, researchers saw successfully exploited Adobe Flash. The team of Zeguang Zhao (Team509), Peter, Jihui Lu, and wushi (KeenTeam) used a heap overflow remote code execution vulnerability in Flash, then leveraged a local privilege escalation in the Windows kernel through TrueType fonts, bypassing all defensive measures. They were awarded $60,000 USD for the Flash bug and a bonus of $25,000 for the SYSTEM escalation.
Nicolas Joly followed with his own exploit of Flash. He used a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker. He was awarded $30,000 for his efforts.
Nicolas continued his exploitation domination by taking down Adobe Reader through a stack buffer overflow – once for an info leak and again for remote code execution. He then leveraged an integer overflow to exploit the broker, netting him a cool $60,000 USD.
From there, Peter, Jihui Lu, Wen Xu, wushi (KeenTeam), and Jun Mao (Tencent PCMgr) continued rollin’ in the heap by taking down Adobe Reader with an integer overflow and achieved pool corruption through a different TTF bug. This got them SYSTEM access and a total of $55,000 USD - $30,000 for the Reader bug and another $25,000 bonus for the SYSTEM escalation.