Edge, VMWare, Safari, And Ubuntu Linux Hacked at Pwn2Own 2017

The 10th annual Pwn2Own hacking competition ended Friday in Vancouver. Some of the highlights:

• Ars Technica reports one team "compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in... by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware."
• Digital Trends reports "Samuel Grob and Niklas Baumstark used a number of logic bugs to exploit the Safari browser and eventually take root control of the MacOS on a MacBook Pro, [and] impressed onlookers even more by adding a custom message to the Touch Bar which read: "pwned by niklasb and saelo."
• Ubuntu 16.10 Linux was also successfully attacked by exploiting a flaw in the Linux 4.8 kernel, "triggered by a researcher who only had basic user access but was able to elevate privileges with the vulnerability to become the root administrative account user..." reports eWeek. "Chaitin Security Research Lab didn't stop after successfully exploiting Ubuntu. It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS."
• Another attacker "leveraged two separate use-after-free bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel."

None of the attendees registered to attempt an attack on the Apache Web Server on Ubuntu 16.10 Linux, according to eWeek, but the contest's blog reports that "We saw a record 51 bugs come through the program. We paid contestants $833,000 USD in addition to the dozen laptops we handed out to winners. And, we awarded a total of 196 Master of Pwn points."

Have fun with those Pwn points!

[Anonymous Coward]

Why not display the hacks to the world (without how you did them) and let the open economy bid on the solution? Gotta be worth more than these dumb prizes.

Re:Have fun with those Pwn points!

[ColaMan]

That's the whole point of the competition.

The cash prize + internet fame is designed to be enough of an incentive for you to give out the details instead of selling it on the black market.

Re:

[mysidia]

instead of selling it on the black market.

Assuming that if you come up with this exploit the CIA won't be knocking on your door with a better offer to tell them instead, and to keep it secret forever.

Re:

[ColaMan]

Well, it's a case of:

- Do this in public, and you have to disclose your exploit to get the cash

- Demonstrate in private, somehow, get in touch with some secretive agency somehow, hope that they don't already have this exploit, hope that they simply won't steal your exploit, hope that they won't jail you for something along the lines of "attempted hacking", hope that someone else doesn't release exploit while you're doing this, eventually get cash.

- Demonstrate in private, somehow, sell in black market and h

Re:

[mysidia]

somehow, get in touch with some secretive agency somehow, hope that they don't already have this exploit, hope that they simply won't steal your exploit, hope that they won't jail you for something along the

No.... The joke was the three-letter agency will be watching you, knowing you're a security researcher, so they already know you developed the exploit; They will be paying you for exclusivity, Also they'll be needing more work out of you to weaponize it, As for the other concerns, It's not illeg

Re:

[syntotic]

You are supposed to sell it in a malware, antivirus, computer health, application and fill people with lots of popups and aggressive advertisement in downloads and fringe sites so people with such problems... (?) Anyway, the real solution is patching or versioning the underlying software and that is something OEM vendors are supposed to do, not just any company.

Re:Have fun with those Pwn points!

[tgv]

Not everybody is a greedy bastard.

Re:

[rtb61]

Nope, just all the arseholes at the top, ohh yeah. The richer you are the greedier you are and that's a fact.

Re:

[drinkypoo]

It's not fact. Unless you have studied, psychologically profiled; including various other tests, every single person that kept getting richer and richer, to see if they became more greedy, then, it's not fact.

If you're rich and getting richer while others are poor and keep getting poorer then you're greedy, and that's a fact, jack. Because all you have to do to not be greedy is share, and if you do that, you'll stop getting richer.

Greed is clearly a powerful motivator, but it can equally clearly be taken too far.

Re: Have fun with those Pwn points!

[valdezjuan]

That's not 100% true. Look at Gates and Buffet, they are getting richer but they are donating billions to charities and research, they are also not alone in doing that.

Re:

[James_Duncan8181]

They aren't getting richer, they have committed most of their assets to ongoing projects. As such, they have become poorer in the purely personal sense.

Re:

[mysidia]

If you're rich and getting richer while others are poor and keep getting poorer then you're greedy, and that's a fact

NOPE. That's an opinion or unproven theory. You can also share without failing to continue getting richer, by making sure you continue to gain more than amount of what you share plus your regular expenses. What do you define greed as, And is it your opinion that greed is not a good thing ?

Re:

[Gavagai80]

Being rich doesn't make anyone greedy. Being greedy makes them rich.

Re:Have fun with those Pwn points!

[lucm]

Being greedy makes them rich.

You clearly never met my mother-in-law.

Re:

[mysidia]

Being rich doesn't make anyone greedy. Being greedy makes them rich.

If greed makes people rich, then how can you explain why there are not many more rich people?

I see people visiting casinos all the time, or buying a handful of Powerball tickets, talking about how they want to have $1 Million or $1 Billion, Or they think somebody else should pay for everything they want out of life.

Re:

[lucm]

These vulnerabilities are insignificant and will be fixed, so let's talk about the far more important and pressing issues of race and race relations.

You mean like diversity hiring initiatives in Silicon Valley?

Do security researchers trust those laptops?

[Foresto]

"...the dozen laptops we handed out to winners."

I wonder whether the security researchers who were given those laptops would ever consider trusting those laptops.

I suppose they would be useful as test hardware regardless.

Re:

[drinkypoo]

I wonder whether the security researchers who were given those laptops would ever consider trusting those laptops.

If they're not compatible with coreboot, then I would sell it immediately.

Re:

[drinkypoo]

shut up you fucking troll.

Not that I expect a response, but is this really your only hobby? I mean, take up origami or something. It's cheap.

Re:

[drinkypoo]

You should take your own advice.. every fucking story I ready, there you are with a handful of other kiwifruits that have to post,

And it makes you angry that people are posting comments to a discussion forum?

Re:

[drinkypoo]

different AC. looks like you have an admirer.

Having an opinion leads to being trolled. Having lots of opinions leads to lots of being trolled. I just don't understand the people who think that doing a lot of posting to Slashdot is some kind of hardship. I've been chatting since before I had internet access, on BBSes. In the eighties. Typing is as easy as breathing.

Re: Do security researchers trust those laptops?

[UnknowingFool]

Well no system is perfect and I think you as assuming those systems are never patched ever. From what I know about the contest, the software version is frozen for the contestants so it is not a moving target. In some cases the exploit might already be fixed in the most current version.

Re:

[syntotic]

But, new or stolen laptops? It is not the same... I am waiting for policemen to recover the ELEVEN laptops that have been stolen from me in the prime of their system life, (oh, one mummy, one baby and two in their second infancy). I wonder if any of these guys had anything to do with it...? Fluorescence? I do have some trouble from time to time with screen brightness as of lately.

Chain of 6 Exploits

[mentil]

It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS.

I have a feeling as security gets more sophisticated, these chains will get longer. Eventually, the chain will get too long for a human cracker to think up themselves, and software will be needed which classifies and chains together vulnerabilities to achieve a desired effect. Then it's a short auto-bug-finder away from allowing a self-sustaining botnet that adapts to security upgrades, and could become permanently out of control if the C&C is taken down/abandoned.

Re:

[platinummyr]

What if the automatic bug finder finds a crack in the C&C and compromises it to add it to the bot-net?

Re:

[BeerCat]

it's a short auto-bug-finder away from allowing a self-sustaining botnet that adapts to security upgrades, and could become permanently out of control if the C&C is taken down/abandoned.

I think you've just described a real world version of Skynet

The Terminator: Skynet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, they try to pull the plug.
Sarah Connor: Skynet fights back.

Re:

[Place a name here]

If someone invents an auto-bug-finder, won't every software company run it on their software before releasing it, knowing that if they don't, the malware creators will?

Re:

[michael_wojcik]

If someone invents an auto-bug-finder, won't every software company run it on their software before releasing it, knowing that if they don't, the malware creators will?

History suggests not. We have hundreds or thousands of static-analysis and dynamic-analysis tools, ranging from simple linters to hybrid-symbolic-and-instrumented-execution ones. Many are free, and commercial ones typically include convenient UIs, training, and ample support. Yet many companies still release software that doesn't even compile warning-free, much less run analysis tools against their source or binaries.

In fact, there are a number of published tools which do most of the work of chaining vulner

Re: Chain of 6 Exploits

[valdezjuan]

People have been claiming this since before I got into the industry. In some far, far distant future when a protocol or OS has been written by aliens or AIs, maybe it will be too complicated but that's a long ways off. Some of these people are getting paid to find these types of issues and others just have the mind set and can think abstractly enough to be able to apply it. The human brain is incredibly good at connecting seemingly random things and then working towards applying them together. Not to mentio

Re:

[syntotic]

(It is not that they are written by Humans but that we cannot test combinatorial explosions and only hope for some proven bounds to go by; this would be true of automatically written systems also unless you do have the time and not the profit incentive to go through an infinite series of chains...)

Re: Chain of 6 Exploits

[p91paul]

I'd bet more on this problem to be undecidable...However, a program able to find and use more bugs than most humans (weakening the "discover *all* bugs" requirement) might be feasible instead. I believe it's still very far away anyway.

Breaking out of VMware

[rene2]

is the most impressive. Heads up for that achievements!

Re:

[swb]

But only workstation.

It'd be impressive if someone could break out of an ESXi hypervisor and then compromise vCenter. Maybe have some kind of command/control daemon on vCenter allowing implanting VMs.

Re:

[Burz]

Like ESX, Xen is also a bare-metal hypervisor that is very secure (not counting QEMU, which is isolated in secure installations). Qubes OS is a desktop system based on Xen... https://www.qubes-os.org/ [qubes-os.org]

Re:

[michael_wojcik]

Xen is "very secure"?

There were 15 Xen security vulnerabilities fixed this month [suse.com].

Shi et al. just presented a paper on architectural security problems with Xen [internetsociety.org].

Don't get me wrong - I appreciate the Xen team's efforts at security. And other hypervisors have their own problems (though it's been a while since I've seen a report of a VM escape from PR/SM). And "secure" isn't meaningful as an absolute; it only means something in relation to a threat model. But it's still rather premature to label Xen "very secure

Re:

[Burz]

Tha's an interesting paper... I'm sure their 'nexen' approach will lead to some good things.

Xen's vuln reporting is an umbrella for the core Xen hypervisor, plus a large codebase including QEMU functionality. Most of what gets reported as Xen vulnerabilities is QEMU or fall under minor or DOS...Some Xen project members realize this creates an inaccurate perception. However, secure Xen configurations do not utilize QEMU without isolating it in a stub domain.

So far, there have been only 3 vulns that could cau

use-after-free bugs in Microsoft Edge

[ilguido]

I thought that C# had automatic memory management.

Re:use-after-free bugs in Microsoft Edge

[Behrooz Amoozad]

In a single AppDomain with one single thread and no lazy references, sure. If you write anything complex it can go straight to hell if you don't know exactly what you're doing.
This includes every little messy detail on the multi-threaded multi-domain marking garbage collector with 3 lists and 5 heaps that traverses stacks of all threads on each collect, type inheritance with type casting direction, native calls with auto marshaling between managed and native types, AppDomains that should read eachothers' memory but not write it, etc.
Source: C# developer since 2k3

Re:

[michael_wojcik]

"Not feasible in practice" is just what people said about stack smashing, until Levy published "Smashing the Stack for Fun and Profit".

"Gee, I think this looks pretty hard, and I've written some code, bro!" is a pretty weak security analysis, and a worse mitigation.

(And, of course, there are a great many C# developers who know very little about how the CLR works, or what goes on in an AppDomain, etc. As a demonstration of authority, "C# developer since 2k3" is pretty weak too.)

Re:

[Behrooz Amoozad]

My point was, If you're working on something like Edge you should know a lot more than a developer that smashes a couple wizard forms together and some of the Edge guys probably did not, Just listed some of the usual things that go wrong to show how deep you have to think sometimes.
Has nothing to do with me being good or bad or bragging about it. I don't even own a single device with any microsoft products on it, so I don't really care.

Re:

[michael_wojcik]

You know, I think I completely misread your previous post. My apologies.

The Edge of Karma

[EditDistance]

Only yesterday, Microsoft was shoving advertisements for Edge in my face and proudly proclaiming it was the most secure browser... This claims look ridiculous this morning. Looks like an epic hack, seriously cool.

Re:

[twistedcubic]

Now that the bugs are discovered and will be patched, it will be the most secure browser.

Re:

[michael_wojcik]

I never use Edge, so it's the most secure browser for me!

Well, tied with Opera, Safari, Konqueror, Vivaldi, Sea Monkey, Mosaic,[1] HotJava, ...

Of course, "most secure browser" is far too vague to mean anything. There's no threat model specified, and web browsers now do so many things that their "security" is extremely nebulous. The claim is just puffery, like "Microsoft cigarettes are the smoothest!".

[1] I used to use Mosaic, back in 1993, but I've given it up since.

Great!

[Gravis Zero]

I love that people are exposing exploits in Linux (new or old versions) because it means we all get fixes and a little more safety from the bad guys. :)

Re:

[Carewolf]

I love that people are exposing exploits in Linux (new or old versions) because it means we all get fixes and a little more safety from the bad guys. :)

Well, these are white hats, so not really bad guys. I do hope however they have some way of reporting these bugs upstream before revealing them.

Re: Great!

[valdezjuan]

Most of the vendors are the ones putting up the cash, they are certainly paying attention.