Hackers were able to poke holes in nearly every major browser, including Mozilla Firefox, Apple Safari, and Microsoft Edge, late last week as part of this year's iteration of Pwn2Own.
Pwn2Own, an annual hacking competition that pits contestants against enterprise applications, servers, virtualization software, and web browsers, occurs each March alongside CanSecWest, a security conference held in Vancouver, British Columbia.
Trend Micro’s Zero Day Initiative, which puts on the two-day event, regularly purchases the vulnerabilities and discloses each bug to its respective vendor.
Samuel Groß, a German hacker who last year managed to broadcast a special message across a MacBook Pro’s Touch Bar, was at it again this year. Groß was working with Niklas Baumstark, a fellow academic from the Karlsruhe Institute of Technology as part of a team, Phoenhex. On the first day of Pwn2Own Groß used a JIT optimization bug in Safari combined with a macOS logic bug to escape the sandbox. He compounded the exploit with a kernel overwrite to execute code with a kernel extension, subsequently owning Safari, and earning him $65K.
Confirmed! @5aelo used a JIT optimization bug in the browser, a macOS logic bug, & a kernel overwrite to execute code to successfully exploit Apple Safari. This chain earned him $65K & 6 points Master of Pwn points. pic.twitter.com/iLfNFnXzzs
— Zero Day Initiative (@thezdi) March 15, 2018
Three hackers working with international cybersecurity research firm MWR Labs, Alex Plaskett, Georgi Geshev, and Fabi Beterke, were also able to bring down Safari. On the competition's second day the trio exploit a heap buffer underflow, coupled with an uninitialized stack variable in macOS. The trick escaped the sandbox, gained them code execution, and $55K.
Another trio of hackers, Markus Gaasedelen, Nick Burnett, and Patrick Biernat, targerted Safari with a macOS kernel elevation of privilege bug but couldn't pull off their exploit in the alotted timeframe. According to the Zero Day Initiative the bugs will still be submitted to Apple for review.
While Safari was targeted the most over the course of the two days it was an Edge vulnerability that fetched the highest payout. Richard Zhu, a hacker who goes by the handle 'fluorescence' targeted the browser with a pair of use-after-free bugs and an integer overflow in the kernel to run code with elevated privileges, an exploit that earned the Carnegie Mellon alum $70K.
Zhu added to that sum on the competition's second day, winning $50K after using an out-of-bounds write in Firefox to break the browser.
— Zero Day Initiative (@thezdi) March 15, 2018
Zhu, who at this point has become somewhat of a Pwn2Own veteran, used two use-after-free bugs and a buffer overflow in the Windows kernel to earn $55K last year.
Baumstark, the other representative from Team Phoenhex, targeted Oracle VirtualBox, Oracle's virtualization software, with a out-of-bounds read and a time of check-time of use bug to earn $27K. The judges ruled the exploit as a partial success, hence why he was awarded only part of the $35K award amount for the target.
The competition has previously allowed entrants to target virtualization software like Microsoft Hyper-V and VMware's Workstation but this is the first year VirtualBox was included.
In total the Zero Day Initiative handed out $267K for five Apple bugs, four Microsoft bugs, two Oracle bugs, and a Mozilla bug.
Dustin Childs, director of communications the Zero Day Initiative, acknowledged on Friday in a recap of the competition that it was smaller this year. In recent years the contest has been dominated by Chinese security firms, including Tencent Security, Quihoo 360 Security, and last year, Chaitin Security Research Lab. All of those groups were absent this year. CyberScoop, a cybersecurity publication run by Scoop News Group, reported earlier this month that regulatory changes in China have discouraged the aforementioned groups from attending global exploit contests like Pwn2Own. It remains to be seen when or if the groups will return to the competition.
Also absent from the competition were any exploits against Adobe Reader, a common target each year, and the browser with the largest market share, Google Chrome.
This year ZDI partnered with Microsoft for the competition and offered thousands of dollars to hackers who could break its software, including Windows Defender Application Guard (WDAG) for Edge, Windows SMB, and its Hyper-V client. No successful attempts were made.
Mozilla, like it did last year with an integer overflow vulnerability disclosed at the competition, was quick to fix the out-of-bounds write discovered by Zhu. On Friday the company said the memory write bug could be exploited by processing Vorbis audio data. It pushed Firefox 59.0.1 to address the bug and another critical out of bounds memory write in the libtremor library on Android and ARM platforms.
It's unclear when the rest of the vendors affected will issue patches for the vulnerabilities identified last week. Fixes for Pwn2Own vulnerabilities uncovered in Apple and Microsoft usually find their way into updates pushed in May however.