Major browsers fall during second day at Pwn2Own hacking contest

IDG News Service - Security researchers demonstrated zero-day exploits against Google Chrome, Microsoft Internet Explorer, Apple Safari, Mozilla Firefox and Adobe Flash Player during the second day of the Pwn2Own hacking competition Thursday, racking up total prizes of $450,000.

A team from French vulnerability research firm Vupen hacked Google Chrome by exploiting a use-after-free vulnerability that affects both the WebKit and Blink rendering engines. The researchers then successfully bypassed Chrome's sandbox protection to execute arbitrary code on the underlying system.

On Wednesday, the first day of the contest that takes place every year at the CanSecWest security conference in Vancouver, researchers from the same team hacked Internet Explorer 11, Firefox, Flash Player and Adobe Reader.

Another anonymous researcher presented a Chrome remote code execution exploit Thursday, but the contest judges declared it only a partial win because some details of the hack were similar to those of an exploit presented earlier at Pwnium, Google's own hacking contest that runs aside Pwn2Own.

Well-known iPhone and PlayStation 3 hacker George Hotz, known online as geohot, demonstrated a remote code execution exploit against Firefox, making it the competition's fourth successful hack against Mozilla's browser. Aside from Team Vupen, security researchers Jüri Aedla and Mariusz Mlynski had also compromised Firefox during the first day of the contest by exploiting different vulnerabilities.

On Thursday, researchers Sebastian Apelt and Andreas Schmidt demonstrated a browser-based exploit against Microsoft Internet Explorer that chained together two use-after-free vulnerabilities and a Windows kernel bug to open the Windows calculator application, proving remote code execution.

Another researcher, Liang Chen of the Chinese Keen Team, combined a heap overflow vulnerability with a sandbox bypass to achieve remote code execution through Apple Safari. He and fellow researcher Zeguang Zhou of team 509 then demonstrated a remote code execution exploit for Adobe Flash Player.

All the vulnerabilities exploited during Pwn2Own were shared with the vendors of the affected products.

The prizes won during the second and final day of the competition put the total contest payout to a record $850,000, not including charitable donations or the value of the test laptops won by the researchers after their successful hacks.

During a side challenge dubbed Pwn4Fun, security researchers from Google competed against researchers from Hewlett-Packard's DVLabs Zero Day Initiative (ZDI) who organize the Pwn2Own contest. The Google team hacked Apple Safari and the ZDI team hacked IE11 by combining multiple exploits. The challenge raised $82,500 for the Canadian Red Cross.

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.

View the original article here

Researchers pocket record $400K at Pwn2Own hacking contest's first day

Computerworld - Researchers on Wednesday cracked Microsoft's Internet Explorer 11 (IE11), Mozilla's Firefox and Adobe's Flash and Reader at the Pwn2Own hacking contest, earning $400,000 in prizes, a one-day record for the challenge.

Pwn2Own continues today, when other teams and individual researchers will take their turns trying to break Apple's Safari and Google's Chrome.

A team from Vupen, a French vulnerability research firm and seller of zero-day flaws to governments and law enforcement agencies, ended Wednesday $300,000 richer, having hacked Adobe Flash, Adobe Reader, Firefox and IE11 for a one-day foursome, another record.

Firefox was victimized a total of three times in just over six hours, once by Vupen and then two other times by researchers Mariusz Mlynski and Jüri Aedla, with each winner picking up $50,000 for their exploit.

Although Pwn2Own was originally going to offer cash prizes only to the first who hacked each target, the contest organizer, Hewlett-Packard's Zero Day Initiative (ZDI), changed the ground rules on the fly, saying early Wednesday that it would pay for all vulnerabilities used by the contestants.

With that move, ZDI, a bug bounty program that's part of HP's TippingPoint division, said it and co-sponsor Google -- the latter pitched in 25% of the prize money -- would end up paying more than $1 million if all 15 entrants, another record, were successful.

Wednesday's efforts were impressive in their own right, with each scheduled target falling to researchers within five minutes. Contestants come to Pwn2Own with zero-day vulnerabilities and exploits in their pockets, and do not find the bugs and craft attack code on-site.

"All the exploits were unique in their own way," said Brian Gorenc, manager of vulnerability research for ZDI, in an interview after the conclusion of Pwn2Own's first day. Gorenc declined to single out the most impressive or elegant exploit. "It was fascinating seeing the different ways that researchers are bypassing sandboxes and the ways they chained multiple vulnerabilities."

A "sandbox" is an anti-exploit technology deployed by some software -- Internet Explorer, Flash and Reader all rely on sandboxes -- that is designed to isolate an application so that if attackers do find a vulnerability in the code, they must circumvent, or "escape" the sandbox, to execute their malicious code on the machine. Sandbox escapes typically require chained exploits of two or more vulnerabilities.

The day's total of $400,000 nearly matched last year's Pwn2Own two-day payout of $480,000.

Vupen kicked off the day by hacking Adobe Reader, winning $75,000 for the feat.

"We've pwnd Adobe Reader XI with a heap overflow + PDF sandbox escape (without relying on a kernel flaw). Exploit reported to Adobe!," Vupen said on its Twitter account.

Next up was IE11 on a notebook running Windows 8.1, Microsoft's most-current operating system. "We've pwnd IE11 on Win 8.1 using a use-after-free combined to an object confusion in the broker to bypass IE sandbox," Vupen announced on Twitter after grabbing $100,000 for the hack.

"Use-after-free" is a term for a type of memory management bug, while "broker" is the label for the part of the sandbox that acts as the supervisor for all protected processes. A flaw in a broker, as Vupen demonstrated, can have catastrophic effects, letting a hacker escape the sandbox and execute attack code.

Vupen also exploited Adobe Flash and Firefox, Mozilla's open-source browser, winning prizes of $75,000 and $50,000, respectively.

Small and midsize businesses are moving to the cloud to host their communications capabilities. Learn how enterprise-quality phone benefits, online management, conferencing, auto attendant, and ease of use are built into a system that is half the cost of a PBX.

Read now.

View the original article here