March 22, 2015 at 20:10Pwn2Own 2015: results
The second day of Pwn2Own ended with the successful exploitation of vulnerabilities in all declared browsers: Google Chrome, Microsoft IE11, Apple Safari, Mozilla Firefox. Information about the first day of the competition we posted in the previous post, the used configuration of browsers and OS was also indicated there. Unlike the first day, this time, remote code execution was also demonstrated in the Google Chrome browser.
An update for the Mozilla Firefox browser that fixes vulnerabilities demonstrated in the contest has already been released to users. Updates for other browsers will come later. For two days of the competition, the reschers managed to earn $ 557,500, and all the declared browsers and plugins for them were successfully hacked.
Paid funds of the second day of the competition were distributed as follows:
= $ 240K cash.
Competitors managed to bypass the sandbox mechanism, which browsers use to isolate the processes of their tabs in the OS. An additional reward of $ 25K was paid for exploiting a vulnerability in Windows itself, which allowed code to be executed at the maximum privilege level of SYSTEM ( full sandbox bypass ). In the case of IE11, the sandbox (EPM) mechanism was bypassed by introducing a special JavaScript fragment into the browser process, which allowed the code to be executed at the Medium Integrity Level (IL). In the case of Google Chrome, in addition to exploiting the RCE vulnerability itself, an LPE exploit for Windows was demonstrated, which allowed to increase privileges in the system to the SYSTEM level. Researchers also managed to compromise the beta version of the browser.
For both days of the competition, the following product vulnerabilities were demonstrated:
This year the bar of exploitation complexity was increased, in addition to the use of 64-bit applications and OS, the regulation determined the presence of the active MS EMET tool in the system, which allows you to block a large number of techniques used by exploits in their work, including to bypass DEP & ASLR. As usual, the demonstrated vulnerabilities and exploits for them should be previously unknown (0day) and should not have been publicly disclosed before the contest.
An update for the Mozilla Firefox browser that fixes vulnerabilities demonstrated in the contest has already been released to users. Updates for other browsers will come later. For two days of the competition, the reschers managed to earn $ 557,500, and all the declared browsers and plugins for them were successfully hacked.
Paid funds of the second day of the competition were distributed as follows:
- Mozilla Firefox x 1 = $ 15K
- MS IE11 x 1 = $ 65K
- Google Chrome x 1 = $ 75K + 25K (sandbox bypass, SYSTEM) + $ 10K (beta version exploitation) = $ 110K
- Apple Safari x 1 = $ 50K
= $ 240K cash.
Competitors managed to bypass the sandbox mechanism, which browsers use to isolate the processes of their tabs in the OS. An additional reward of $ 25K was paid for exploiting a vulnerability in Windows itself, which allowed code to be executed at the maximum privilege level of SYSTEM ( full sandbox bypass ). In the case of IE11, the sandbox (EPM) mechanism was bypassed by introducing a special JavaScript fragment into the browser process, which allowed the code to be executed at the Medium Integrity Level (IL). In the case of Google Chrome, in addition to exploiting the RCE vulnerability itself, an LPE exploit for Windows was demonstrated, which allowed to increase privileges in the system to the SYSTEM level. Researchers also managed to compromise the beta version of the browser.
For both days of the competition, the following product vulnerabilities were demonstrated:
- 5 vulnerabilities in Windows;
- 4 vulnerabilities in IE11;
- 3 vulnerabilities in Firefox;
- 3 vulnerabilities in Adobe Reader;
- 3 vulnerabilities in Adobe Flash;
- 2 vulnerabilities in Apple Safari;
- 1 vulnerability in Chrome.
The exploit must work when all of Microsoft's Enhanced Mitigation Experience Toolkit (most current version) mitigation protections compatible with the target are fully enabled . The vulnerabilities utilized in the attack must be unknown, unpublished, and not previously reported to the vendor.
This year the bar of exploitation complexity was increased, in addition to the use of 64-bit applications and OS, the regulation determined the presence of the active MS EMET tool in the system, which allows you to block a large number of techniques used by exploits in their work, including to bypass DEP & ASLR. As usual, the demonstrated vulnerabilities and exploits for them should be previously unknown (0day) and should not have been publicly disclosed before the contest.