Pwn2Own 2015: first results

    The first day of the famous Pwn2Own 2015 contest ended , at which participants were invited to demonstrate the successful operation mechanisms of Remote Code Execution, as well as Local Privilege Escalation vulnerabilities. This year, cash rewards were reduced, but complexity was increased: 64-bit applications & OS were taken for demonstration.

    Participants were asked to remotely execute their code in browsers and in well-known plugins such as Adobe Flash Player & Reader. As browsers, we selected 64-bit versions of Google Chrome, MS IE11 in sandbox mode (EPM) , Mozilla Firefox, Apple Safari, as well as the aforementioned Flash Player and Reader plugins on IE11 in sandbox mode. As a result, successful operation befell all the browsers announced on the first day.

    This year the prices were as follows (64-bit web browsers are launched on the latest up-to-date versions of MS Windows 8.1 x64, Apple OS X Yosemite). It is interesting to note that the number of plugins did not include the well-known Oracle Java software.

    • Google Chrome: $ 75,000.
    • MS Internet Explorer 11 in sandbox mode (EPM): $ 65,000.
    • Mozilla Firefox: $ 30,000
    • Adobe Reader on IE11 in sandbox mode (EPM): $ 60,000.
    • Adobe Flash Player (64-bit) on IE11 sandbox mode (EPM): $ 60,000.
    • Apple Safari: $ 50,000

    The funds paid on the first day ($ 317,500) were distributed as follows:

    • Adobe Flash Player x 2 = $ 60K + $ 25K (sandbox bypass) + $ 30K = $ 115K
    • Adobe Reader x 2 = $ 60K + $ 30K + $ 25K (sandbox bypass) = $ 115K
    • Mozilla Firefox x 1 = $ 30K + $ 25K (sandbox bypass) = $ 55K
    • MS IE11 x 1 = $ 32.5K

    = $ 317,500 cash.

    Vulnerabilities such as heap-overflow (HeapOv) and use-after-free (UAF) were used to exploit Flash Player, while bypassing the sandbox and obtaining maximum SYSTEM rights in the system were provided through a vulnerability in Windows itself (Windows Kernel TrueType fonts) and Flash isolation mechanism Player (Flash broker process). Another vulnerability in processing kernel Windows font files (TrueType Fonts, TTF) was used to bypass the sandbox mechanism when using Adobe Reader. In this case, we are talking about obvious vulnerabilities in the well-known win32k.sys driver.

    An indicator of successful code execution in the browser is the launch of a harmless Windows application called “calculator”. In this case, the process is created as a child of one of the browser tabs.

    The mechanism for operating the software is regulated by the Pwn2Own rules themselves and boils down to the following.

    A successful entry should be designed to leverage a vulnerability to modify the standard execution path of a program or process in order to allow the execution of arbitrary instructions. The entry is required to defeat the target's techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and application sandboxing. The resulting payload should be executing in an elevated context (for example, on Windows-based targets, Medium integrity level or higher).

    Thus, we are talking about a vulnerability in the software itself, which will allow remote code execution in the system, as well as bypassing the well-known DEP & ASLR protection mechanisms. Another exploit may be involved in the operation process, usually for a vulnerability in the Windows kernel, which will help to obtain maximum SYSTEM rights in the system, etc. bypass the sandbox mechanism.

    The Pwn2Own rules stipulate that all vulnerabilities used in the contest will be sent to vendors to prepare the corresponding corrections. Then they can be publicly disclosed.

    Also popular now: