Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Bug Microsoft Safari Ubuntu

Edge, VMWare, Safari, And Ubuntu Linux Hacked at Pwn2Own 2017 (trendmicro.com) 83

The 10th annual Pwn2Own hacking competition ended Friday in Vancouver. Some of the highlights:
  • Ars Technica reports one team "compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in... by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware."
  • Digital Trends reports "Samuel Grob and Niklas Baumstark used a number of logic bugs to exploit the Safari browser and eventually take root control of the MacOS on a MacBook Pro, [and] impressed onlookers even more by adding a custom message to the Touch Bar which read: "pwned by niklasb and saelo."
  • Ubuntu 16.10 Linux was also successfully attacked by exploiting a flaw in the Linux 4.8 kernel, "triggered by a researcher who only had basic user access but was able to elevate privileges with the vulnerability to become the root administrative account user..." reports eWeek. "Chaitin Security Research Lab didn't stop after successfully exploiting Ubuntu. It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS."
  • Another attacker "leveraged two separate use-after-free bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel."

None of the attendees registered to attempt an attack on the Apache Web Server on Ubuntu 16.10 Linux, according to eWeek, but the contest's blog reports that "We saw a record 51 bugs come through the program. We paid contestants $833,000 USD in addition to the dozen laptops we handed out to winners. And, we awarded a total of 196 Master of Pwn points."


This discussion has been archived. No new comments can be posted.

Edge, VMWare, Safari, And Ubuntu Linux Hacked at Pwn2Own 2017

Comments Filter:
  • by Anonymous Coward

    Why not display the hacks to the world (without how you did them) and let the open economy bid on the solution? Gotta be worth more than these dumb prizes.

    • by ColaMan ( 37550 ) on Sunday March 19, 2017 @03:00AM (#54068279) Journal

      That's the whole point of the competition.

      The cash prize + internet fame is designed to be enough of an incentive for you to give out the details instead of selling it on the black market.

      • by mysidia ( 191772 )

        instead of selling it on the black market.

        Assuming that if you come up with this exploit the CIA won't be knocking on your door with a better offer to tell them instead, and to keep it secret forever.

        • by ColaMan ( 37550 )

          Well, it's a case of:

          - Do this in public, and you have to disclose your exploit to get the cash

          - Demonstrate in private, somehow, get in touch with some secretive agency somehow, hope that they don't already have this exploit, hope that they simply won't steal your exploit, hope that they won't jail you for something along the lines of "attempted hacking", hope that someone else doesn't release exploit while you're doing this, eventually get cash.

          - Demonstrate in private, somehow, sell in black market and h

          • by mysidia ( 191772 )

            somehow, get in touch with some secretive agency somehow, hope that they don't already have this exploit, hope that they simply won't steal your exploit, hope that they won't jail you for something along the

            No.... The joke was the three-letter agency will be watching you, knowing you're a security researcher, so they already know you developed the exploit; They will be paying you for exclusivity, Also they'll be needing more work out of you to weaponize it, As for the other concerns, It's not illeg

        • You are supposed to sell it in a malware, antivirus, computer health, application and fill people with lots of popups and aggressive advertisement in downloads and fringe sites so people with such problems... (?) Anyway, the real solution is patching or versioning the underlying software and that is something OEM vendors are supposed to do, not just any company.
    • by tgv ( 254536 ) on Sunday March 19, 2017 @03:01AM (#54068285) Journal

      Not everybody is a greedy bastard.

      • by rtb61 ( 674572 )

        Nope, just all the arseholes at the top, ohh yeah. The richer you are the greedier you are and that's a fact.

        • Being rich doesn't make anyone greedy. Being greedy makes them rich.

          • by lucm ( 889690 ) on Sunday March 19, 2017 @09:43AM (#54068903)

            Being greedy makes them rich.

            You clearly never met my mother-in-law.

          • by mysidia ( 191772 )

            Being rich doesn't make anyone greedy. Being greedy makes them rich.

            If greed makes people rich, then how can you explain why there are not many more rich people?

            I see people visiting casinos all the time, or buying a handful of Powerball tickets, talking about how they want to have $1 Million or $1 Billion, Or they think somebody else should pay for everything they want out of life.

  • by Foresto ( 127767 ) on Sunday March 19, 2017 @03:19AM (#54068311) Homepage

    "...the dozen laptops we handed out to winners."

    I wonder whether the security researchers who were given those laptops would ever consider trusting those laptops.

    I suppose they would be useful as test hardware regardless.

    • I wonder whether the security researchers who were given those laptops would ever consider trusting those laptops.

      If they're not compatible with coreboot, then I would sell it immediately.

    • Well no system is perfect and I think you as assuming those systems are never patched ever. From what I know about the contest, the software version is frozen for the contestants so it is not a moving target. In some cases the exploit might already be fixed in the most current version.
    • But, new or stolen laptops? It is not the same... I am waiting for policemen to recover the ELEVEN laptops that have been stolen from me in the prime of their system life, (oh, one mummy, one baby and two in their second infancy). I wonder if any of these guys had anything to do with it...? Fluorescence? I do have some trouble from time to time with screen brightness as of lately.
  • Chain of 6 Exploits (Score:5, Interesting)

    by mentil ( 1748130 ) on Sunday March 19, 2017 @03:27AM (#54068321)

    It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS.

    I have a feeling as security gets more sophisticated, these chains will get longer. Eventually, the chain will get too long for a human cracker to think up themselves, and software will be needed which classifies and chains together vulnerabilities to achieve a desired effect. Then it's a short auto-bug-finder away from allowing a self-sustaining botnet that adapts to security upgrades, and could become permanently out of control if the C&C is taken down/abandoned.

    • What if the automatic bug finder finds a crack in the C&C and compromises it to add it to the bot-net?
    • by BeerCat ( 685972 )

      it's a short auto-bug-finder away from allowing a self-sustaining botnet that adapts to security upgrades, and could become permanently out of control if the C&C is taken down/abandoned.

      I think you've just described a real world version of Skynet

      The Terminator: Skynet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, they try to pull the plug.
      Sarah Connor: Skynet fights back.

    • If someone invents an auto-bug-finder, won't every software company run it on their software before releasing it, knowing that if they don't, the malware creators will?
      • If someone invents an auto-bug-finder, won't every software company run it on their software before releasing it, knowing that if they don't, the malware creators will?

        History suggests not. We have hundreds or thousands of static-analysis and dynamic-analysis tools, ranging from simple linters to hybrid-symbolic-and-instrumented-execution ones. Many are free, and commercial ones typically include convenient UIs, training, and ample support. Yet many companies still release software that doesn't even compile warning-free, much less run analysis tools against their source or binaries.

        In fact, there are a number of published tools which do most of the work of chaining vulner

    • People have been claiming this since before I got into the industry. In some far, far distant future when a protocol or OS has been written by aliens or AIs, maybe it will be too complicated but that's a long ways off. Some of these people are getting paid to find these types of issues and others just have the mind set and can think abstractly enough to be able to apply it. The human brain is incredibly good at connecting seemingly random things and then working towards applying them together. Not to mentio
      • (It is not that they are written by Humans but that we cannot test combinatorial explosions and only hope for some proven bounds to go by; this would be true of automatically written systems also unless you do have the time and not the profit incentive to go through an infinite series of chains...)
  • by rene2 ( 140113 ) on Sunday March 19, 2017 @03:48AM (#54068347)

    is the most impressive. Heads up for that achievements!

    • by swb ( 14022 )

      But only workstation.

      It'd be impressive if someone could break out of an ESXi hypervisor and then compromise vCenter. Maybe have some kind of command/control daemon on vCenter allowing implanting VMs.

      • by Burz ( 138833 )

        Like ESX, Xen is also a bare-metal hypervisor that is very secure (not counting QEMU, which is isolated in secure installations). Qubes OS is a desktop system based on Xen... https://www.qubes-os.org/ [qubes-os.org]

        • Xen is "very secure"?

          There were 15 Xen security vulnerabilities fixed this month [suse.com].

          Shi et al. just presented a paper on architectural security problems with Xen [internetsociety.org].

          Don't get me wrong - I appreciate the Xen team's efforts at security. And other hypervisors have their own problems (though it's been a while since I've seen a report of a VM escape from PR/SM). And "secure" isn't meaningful as an absolute; it only means something in relation to a threat model. But it's still rather premature to label Xen "very secure

          • by Burz ( 138833 )

            Tha's an interesting paper... I'm sure their 'nexen' approach will lead to some good things.

            Xen's vuln reporting is an umbrella for the core Xen hypervisor, plus a large codebase including QEMU functionality. Most of what gets reported as Xen vulnerabilities is QEMU or fall under minor or DOS...Some Xen project members realize this creates an inaccurate perception. However, secure Xen configurations do not utilize QEMU without isolating it in a stub domain.

            So far, there have been only 3 vulns that could cau

  • I thought that C# had automatic memory management.
    • by Behrooz Amoozad ( 2831361 ) on Sunday March 19, 2017 @05:30AM (#54068453)
      In a single AppDomain with one single thread and no lazy references, sure. If you write anything complex it can go straight to hell if you don't know exactly what you're doing.
      This includes every little messy detail on the multi-threaded multi-domain marking garbage collector with 3 lists and 5 heaps that traverses stacks of all threads on each collect, type inheritance with type casting direction, native calls with auto marshaling between managed and native types, AppDomains that should read eachothers' memory but not write it, etc.
      Source: C# developer since 2k3
      • "Not feasible in practice" is just what people said about stack smashing, until Levy published "Smashing the Stack for Fun and Profit".

        "Gee, I think this looks pretty hard, and I've written some code, bro!" is a pretty weak security analysis, and a worse mitigation.

        (And, of course, there are a great many C# developers who know very little about how the CLR works, or what goes on in an AppDomain, etc. As a demonstration of authority, "C# developer since 2k3" is pretty weak too.)

        • My point was, If you're working on something like Edge you should know a lot more than a developer that smashes a couple wizard forms together and some of the Edge guys probably did not, Just listed some of the usual things that go wrong to show how deep you have to think sometimes.
          Has nothing to do with me being good or bad or bragging about it. I don't even own a single device with any microsoft products on it, so I don't really care.
  • by EditDistance ( 1037142 ) on Sunday March 19, 2017 @04:59AM (#54068431)
    Only yesterday, Microsoft was shoving advertisements for Edge in my face and proudly proclaiming it was the most secure browser... This claims look ridiculous this morning. Looks like an epic hack, seriously cool.
    • Now that the bugs are discovered and will be patched, it will be the most secure browser.
    • I never use Edge, so it's the most secure browser for me!

      Well, tied with Opera, Safari, Konqueror, Vivaldi, Sea Monkey, Mosaic,[1] HotJava, ...

      Of course, "most secure browser" is far too vague to mean anything. There's no threat model specified, and web browsers now do so many things that their "security" is extremely nebulous. The claim is just puffery, like "Microsoft cigarettes are the smoothest!".

      [1] I used to use Mosaic, back in 1993, but I've given it up since.

  • by Gravis Zero ( 934156 ) on Sunday March 19, 2017 @05:25AM (#54068447)

    I love that people are exposing exploits in Linux (new or old versions) because it means we all get fixes and a little more safety from the bad guys. :)

    • I love that people are exposing exploits in Linux (new or old versions) because it means we all get fixes and a little more safety from the bad guys. :)

      Well, these are white hats, so not really bad guys. I do hope however they have some way of reporting these bugs upstream before revealing them.

C makes it easy for you to shoot yourself in the foot. C++ makes that harder, but when you do, it blows away your whole leg. -- Bjarne Stroustrup

Working...