No-one is safe in Pwn2Own 2019 as Edge, Firefox, Safari and Tesla fall

Pwn2Own 2019 is currently running and if there is one thing which the contest admirably demonstrate it is that there is no such thing as a completely secure system.

In the last two days hackers, by simply visiting a specially crafted web page, have defeated Safari on MacOS, Edge on Windows 10, Firefox on Windows 10, and have also managed to escape out of two virtual machines with the ability to run code on the native hardware.

See the collected results below:

Day One

1000 – Fluoroacetate (Amat Cama and Richard Zhu) targeting Apple Safari plus a sandbox escape in the web browser category.

Success: – The Fluoroacetate team used a bug in JIT with a heap overflow to escape the sandbox. In doing so, they earn themselves $55,000 and 5 Master of Pwn points.

1130 – Fluoroacetate (Amat Cama and Richard Zhu) targeting Oracle VirtualBox in the virtualization category.

Success: – The Fluoroacetate team returned with a an integer underflow and a race condition to escape the virtual machine and pop calc on the underlying OS. They earned another $35,000 and 3 points towards Master on Pwn.

1300 – anhdaden of STAR Labs targeting Oracle VirtualBox in the virtualization category.

Success: – anhdaden uses an integer underflow in Orcale VirtualBox to go from the client to the underlying OS. In his first Pwn2Own, he earns himself $35,000 USD and 3 Master of Pwn point.

1430 – Fluoroacetate (Amat Cama and Richard Zhu) targeting VMware Workstation in the virtualization category.

Success: – The Fluoroacetate duo finished their first day by leveraging a race condition leading to an out-of-bounds write in the VMware client to execute their code on the host OS. The earn themselves another $70,000 and 7 more Master of Pwn points.

1600 – Phoenhex & qwerty (@_niklasb @qwertyoruiopz @bkth_) targeting Apple Safari with a kernel escalation in the web browser category.

Partial Success The phoenhex & qwerty team used a JIT bug followed by heap OOB read, then pivoted from root to kernel via a TOCTOU bug. It’s a partial win since Apple already knew 1 of the bugs. They still win $45,000 and 4 points towards Master of Pwn.

Day Two

1000 – Fluoroacetate (Amat Cama and Richard Zhu) targeting Mozilla Firefox with a kernel escalation in the web browser category.

Success: – The Fluoroacetate team used a bug in JIT along with an out-of-bounds write in the Windows kernel to earn themselves $50,000 and 5 Master of Pwn points.

1130 – Fluoroacetate (Amat Cama and Richard Zhu) targeting Microsoft Edge with a kernel escalation and a VMware escape in the web browser category.

Success: – The Fluoroacetate team used a comibnation of a type confusion in Edge, a race condition in the kernel, and finally a out-of-bounds write in VMware to go from a browser in a virtual client to executing code on the host OS. They earn $130,000 plus 13 Master of Pwn points.

1400 – Niklas Baumstark targeting Mozilla Firefox with a sandbox escape in the web browser category.

Success: – Niklas used a JIT bug in Firefox followed by a logic bug for the sandbox escape. The successful demonstration earned him $40,000 and 4 Master of Pwn points.

1530 – Arthur Gerkis of Exodus Intelligence targeting Microsoft Edge with a sandbox escape in the web browser category.

Success: – In his Pwn2Own debut, Arthur used a double free in the render and logic bug to bypass the sandbox. The effort earned him $50,000 and 5 points towards Master of Pwn.

Day Three

1000 – Team KunnaPwn targeting the VCSEC component of the Tesla Model 3 in the automotive category.

Withdrawn: – The Team KunnaPwn team has withdrawn their entry from the automotive category.

1300 – Fluoroacetate (Amat Cama and Richard Zhu) targeting the infotainment system (Chromium) on the Tesla Model 3 in the automotive category.

Success: – The Fluoroacetate duo used a JIT bug in the renderer to win $35,000 and a Model 3.

While the hackers have earned hundreds of thousands of dollars over the course of the contest, the ultimate aim is that these vulnerabilities have been closed off before malicious actors are able to use them against us, but it does remain worrying that no matter how many holes companies manage to patch, hackers are still able to come back with new vulnerabilities the next year.

Read more about the event at the Zero Day Initiative blog here.

Some links in the article may not be viewable as you are using an AdBlocker. Please add us to your whitelist to enable the website to function properly.

Related
Comments