Firefox, Chrome, IE, Safari EXPLOITED to OWN Mac, PCs at Pwn2Own 2015

Let's say those $225k winnings moved me ... to a bigger house!

41 Reg comments Got Tips?

Security vulns in every one of the big four web browsers were exploited at the Pwn2Own hacking contest on Friday to remotely execute arbitrary code on Windows PCs.

Firefox, Safari, Chrome and Internet Explorer all fell to the skills of the competition entrants, some in less than a second.

All the vulnerabilities exploited will be privately disclosed to the affected software makers so patches can be released. Details are deliberately vague at the moment in the interests of responsible disclosure.

One man will be leaving Vancouver with a huge grin on his face and a very healthy bank balance, enough to help him move to a better house. South Korean security researcher Jung Hoon Lee, who uses the handle "lokihardt," scooped $225,000 (and the laptops he compromised) after an epic bout of intrusion.

Firstly Lee hammered 64-bit Internet Explorer 11 with a time-of-check to time-of-use (TOCTOU) vulnerability and a sandbox escape through privileged JavaScript injection to get past Windows' security software and pull off medium-integrity remote code execution (with the same privileges as a logged-in user). That netted him $65,000 for the feat.

Youtube Video

He then compromised the stable and beta versions of Google Chrome by exploiting a buffer overflow bug in a race condition to reach into the Windows operating system, where he used an information leak and a race condition bug in two kernel drivers to perform full SYSTEM-level remote code execution.

The hackery earned him $75,000 for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM, and a bonus $10,000 from Google for cracking its beta version of the browser, all in two minutes. That's a pay scale of $916 a second.

For his finale, Lee nailed Apple's Safari with a use-after-free (UAF) vulnerability involving an uninitialized stack pointer, and bypassed the sandbox to perform remote code execution on an OS X Mac. This earned him a $50,000 bonus, bringing his earnings to $225,000 for the day.

But the speed demon of the contest was a hacker using the name ilxu1a, who managed to remotely compromise Mozilla's Firefox in less than a second. He had spotted a vulnerability by static analysis alone, rather than fuzzing, and used an out-of-bounds read/write vulnerability leading to medium-integrity code execution in the browser, and a $15,000 prize.

While the hackers are going to be happy with the last two days, browser manufacturers and customers are going to be less pleased. But it's one of the strengths of competitions like Pwn2Own that coders can earn decent cash to find these flaws, and the rest of us save a lot of money by getting them fixed before others discover the security blunders. ®


Biting the hand that feeds IT © 1998–2020