Pwn2Own Day 1: Hackers Earn $280k For Hacking Chrome, Flash, Safari

wiredmikey writes: Pwn2Own 2016 contestants hacked Apple's Safari Web Browser, Adobe Flash Player and Google Chrome, and earned more than $280,000 on the first day of the competition taking place this week alongside the CanSecWest conference in Vancouver, Canada. This is the first edition of Pwn2Own where contestants have been invited to escape a VMware virtual machine for a bonus of $75,000, though there has not been a successful exploit yet in this class by any contestant this week. It remains to be seen if contestants manage to surpass last year's total payout, when white hat hackers earned $552,000 at Pwn2Own.

They're all guilty

[Anonymous Coward]

They're hackers.

Re:

[invictusvoyd]

They are crackers to be precise.

Re:

[Lumpy]

No,

not all of them are white. Dont assume race man!

Re:

[Austerity Empowers]

#saltinelivesmatter

VM escapes

[swb]

I keep waiting for someone to find a vulnerability in VMware that lets a VM keep running without appearing in inventory. Bonus points if it can vMotion itself and have access to the management side to manipulate networks.

Re:

[NatasRevol]

It's not a vulnerability, but you can hide it completely from displayed inventory (vCenter) by taking away access from vpxuser. Or from root on a standalone ESXi instance.

Re:

[castionsosa]

I can see a VM playing games with hitting the vCPU hard so DRS rules kick off and bounce the VM around to different physical ESXi boxes, and then using timing techniques, check to see which ESXi box it is sitting on, in order to move to a particular node in a vSphere cluster.

If a VM can get access to the management interface [1], that would be a game over. From there, it would be a matter of brute forcing users (although 6.0 will lock the account for 120 seconds after ten bad guesses) to get access to crit

Re:

[castionsosa]

Two different points. If one has a clue, it isn't hard to ensure that a VM doesn't have access to the management network. However, if there is a weakness in the hypervisor, a rogue/compromised VM getting access to that isn't a good thing.

However, being able to use DRS so a VM physically runs on a box (perhaps to use a hardware security hole with the physical CPU like RAM row hammering) is one attack vector that can come into play. It is relatively minor, but it is present.

Re:

[Bert64]

If you can cause the account to be locked for 2 minutes by making 10 attempts, then you could rapidly make intentionally bogus login attempts and render all accounts inaccessible, which would be somewhat painful to fix.

Wrong subsequent links

[kav2k]

All three links lead to the same article, which seems to be a copy&paste oversight.

I believe the second link was meant to be http://www.securityweek.com/ha... [securityweek.com] and the third http://www.securityweek.com/re... [securityweek.com]

Re:

[AmiMoJo]

I seem to recall this year Firefox is not being included in the competition, because it's too easy. Can someone confirm?

Re:

[Khyber]

Too easy. In fact, just getting my game running under Firefox exposed at least half a dozen vulnerabilities in the way they handle WebGL and Canvas2D.

Chrome isn't MUCH better, but at least it can handle WebGL failures gracefully.

Re:

[RebelWebmaster]

Hopefully you filed bugs for the issues you encountered? https://bugzilla.mozilla.org/e... [mozilla.org]

Re:

[thegarbz]

I hope he didn't. The only response you'll get is WebGL removed from Firefox because it's "what users wanted".

Re:

[Khyber]

As if Mozilla even truly has the resources to fix half of the shit they're tossing into their browser in the name of 'competing and being cutting-edge.'

Bitch too much about it, they'd remove it entirely.

Pwn2Own is too narrow in the scope

[sinij]

Pwn2Own is too narrow in the scope. Discovering and disclosing vulnerabilities in browsers is certainly a useful public service, but this isn't anywhere near the most harmful. Where are attacks against web servers, databases, cryptographic protocols, SCADA and so on?

Re:

[Khyber]

The browser is one of the most common vectors to compromise a system. Why would you NOT attack it when it's proven to be horrendously weak?

Re:Pwn2Own is too narrow in the scope

[Bert64]

Because browsers have a very large, very public attack surface and come from the desktop mentality where security wasn't even considered until recently...

Databases etc *should* have limited exposure to untrusted networks, and thus less attack surface - you typically interact with a frontend application rather than directly with the database for instance.

Webservers are obviously inherently public, but security on web servers has been a serious concern for a long time plus the typical web server is far less complex than a browser. Most web based vulnerabilities these days exist in individual applications rather than the web server software itself.

Re:Very happy...

[castionsosa]

Virtualization is one of the biggest defensive tools we have against compromise. From being able to roll back or discard/spin up a VM if it is compromised to popping snapshots of disk and memory and scanning those for running malware, or just to keep bad stuff from trying to flash firmware to a real device like a bare metal hard disk, virtualization is a must.

My concern is that it isn't just the ESXi hypervisor that keeps the bad guys out. There are four main hypervisors out there that need to be looked at: ESXi, Hyper-V, Linux KVM, and Xen, with Xen giving way to KVM. There are also containers like LXC and Docker that are important as well. I can see KVM being more of an issue over time as OpenStack goes from "cool toy" to production quality.

The good thing is that hypervisors in general have a limited attack surface, run relatively few applications, and tend to have a better focus on security than general operating systems.

Re: Very happy...

[WarJolt]

The most likely exploit on a Hypervisor is with a Paravirtualized driver.

  I used to crash VirtualBox trying to run an opengl on a Ubuntu guest. If I recall correctly it was crashing because VB didn't support some shared Opengl context thing. If it's running with graphics it shouldn't take long to exploit.

Flash?

[Drathos]

I hope the prize for hacking Flash was like 5 bucks..

Talk about low hanging fruit...

Re:

[Anonymous Coward]

I'm still in shock that they accepted Flash exploits this year, but not Firefox ones. That's like being upset about the Titanic when there are aliens hovering over every major landmark with their death-canons trained on them.

How exciting!

[MachineShedFred]

Since when is cracking Flash considered to be some feat of hacking genius? I'd be more interested if someone could make Flash secure without disabling and deleting it completely.

Re:

[Gadget_Guy]

That's because no one uses it. Notice something about the targets? They all have enormous install bases.

Sigh. This is one of the excuses that people make when their preferred browser gets hacked first (especially if a Microsoft one wasn't hacked). The order in which targets and teams are scheduled by random draws.

The targets today included Adobe Flash on Microsoft Edge. That attack failed. Tomorrow, two other teams are scheduled to take on MS Edge, so may be they will have more success.

Re:

[Khyber]

Edge attacks itself. Try to get my game running on it, it horks and dies.

Can't hack something that's dead on arrival.