Adobe Reader, Edge, Safari, and Ubuntu fall during first day at Pwn2Own
The Pwn2Own 2017 event marked the 10th year of the annual hacking competition that began on March 15. The Pwn2Own contest runs every year during the CanSecWest security conference in Vancouver, Canada. It’s organized and sponsored by Micro’s Zero Day Initiative (ZDI). This year’s Pwn2Own computer hacking contest has over $1 million to be won in prizes.
The first day of the Trend Micro-sponsored Pwn2Own competition saw security researchers successfully exploit Microsoft Edge, Apple Safari, Adobe Reader and Ubuntu Linux. However, the 2017 event is the first that provided Linux, and specifically the Ubuntu 16.10 Linux distribution, with researchers taking direct aim at the open-source operating system.
“The Chaitin Security Research Lab (@ChaitinTech) welcomes Ubuntu Linux to Pwn2Own with a Linux kernel heap out-of-bound access,” ZDI wrote in a blog post.
The Chaitin Security Research Lab was awarded a $15,000 prize for its efforts. Confirming the news to eWEEK , Abdul Hariri, a senior vulnerability researcher with ZDI, that the hack done on stage at Pwn2Own found the vulnerability in the Linux 4.8 kernel used by the Ubuntu 16.10 distribution. The vulnerability itself was activated by a researcher who only had basic user access, but was able to become the root administrative account user by upraising privileges with the vulnerability.
Canonical, the lead commercial sponsor of Ubuntu, will be notified regarding the kernel issue, said Hariri to ZDI, although he pointed out that there was no representative from Canonical at the Pwn2Own event.
Additionally, the Pwn2Own 2017 event also listed Apache Web Server running on Ubuntu 16.10 Linux as a potential target, with a prize of $200,000 for a successful exploit. Dustin Childs, director of communication for ZDI, told eWEEK that no one has registered to point at the Apache/Ubuntu target.
Besides exploiting Ubuntu, Chaitin Security Research Lab also chained together an exploit that took advantage of six separate bugs to escalate their access to root on macOS, winning a $35,000 prize.
Samuel Groß and Niklas Baumstark won $28,000 for exploiting five bugs to display a message on the Touch Bar of a 2016 MacBook Pro. However, ZDI called it a “partial win” in an attack against Apple Safari and macOS.
“They employed a use-after-free in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate to root in macOS,” Childs told eWEEK. “Unfortunately, the UAF was corrected by the beta version of the browser, earning them only the partial win.”
Complete details of both the above exploits will be provided to Apple so that the bugs can be fixed before they are made public.
In the meantime, two teams managed to take down Adobe Reader and combined other Windows kernel flaws into their attacks to achieve system-level privilege escalation. Researchers from the 360 Security team earned $50,000 for their exploit chain, and the team from China-based internet company Tencent won $25,000 for exploiting a new use-after-free vulnerability to gain code execution. In addition, Tencent was also able to exploit the Microsoft Edge browser by using a logic bug to escape the browser sandbox, resulting in an award of $80,000.
The first day of the Trend Micro-sponsored Pwn2Own competition saw a total of $233,000 being given away in prize money to security researchers. The hacking contest continues through March 17 giving opportunities to more researchers to demonstrate additional zero-day exploits to claim more of ZDI’s award money.