Firefox, Safari, Edge And Tesla fall prey to hacking in the Pwn2Own 2019 hacking competition in Vancouver
Pwn2Own Vancouver 2019 sponsored by Microsoft, VMware, and Tesla took place between March 20-22nd 2019 at the Sheraton Wall Centre hotel in Vancouver, Canada. The event saw hackers successfully exploiting web browsers like Firefox, Safari, Edge and even the new automotive entrant, Tesla Model 3.
For those unaware, Pwn2Own hacking contest is an effort to promote the Zero Day Initiative (ZDI) program, that is designed to reward security researchers to exploit the latest and most popular mobile devices, web browsers, virtualization servers, enterprise applications, Windows RDP and demonstrate and disclose major zero-day vulnerabilities to tech companies. Following the contest, vendors will have 90 days to produce patches for these bugs.
Day 1 at the Pwn2Own Vancouver 2019 (Apple Safari)
At the start of day one, Amat Cama and Richard Zhu from the Fluoroacetate team successfully targeted Apple Safari browser by using a bug in JIT with a heap overflow to escape the sandbox. This brute force technique earned them $55,000 and 5 Master of Pwn points.
Besides the Fluoroacetate team, the phoenhex & qwerty team (@_niklasb @qwertyoruiopz @bkth_) also exploited the Apple Safari browser with a kernel elevation. They used a JIT bug followed by heap OOB (out-of-bounds) read, and then pivoted it from root to kernel via a TOCTOU (Time-of-Check-Time-of-Use) bug. However, this was considered as a partial win, since Apple was already aware of one of the bugs. The team still won $45,000 and 4 Master of Pwn points.
Day 2 at the Pwn2Own Vancouver 2019 (Mozilla Firefox and Microsoft Edge)
The second day at the Pwn2Own Vancouver 2019 started with Fluoroacetate team targeting Mozilla Firefox with a kernel escalation in the web browser category. The Fluoroacetate team used a bug in JIT along with an out-of-bounds write in the Windows kernel to successfully take over the system. They were able to execute code at SYSTEM level just by visiting their specially designed website, which earned them $50,000 and 5 Master of Pwn points.
Further, the Fluoroacetate team also successfully targeted Microsoft Edge by opening the web browser from within a VMware Workstation and then browsing to their specially crafted web page. The team used a combination of a type confusion in Edge, a race condition in the kernel, and finally, an out-of-bounds write in VMware to go from a browser in a virtual client to executing code on the host OS. This hack earned them $130,000 and 13 Master of Pwn points.
In another event to exploit Mozilla Firefox, Niklas Baumstark (@_niklasb) successfully exploited the web browser by using a JIT bug in Firefox followed by a logic bug for the sandbox escape. This hack earned him $40,000 and 4 Master of Pwn points.
The final attempt for Day Two saw the debut of Arthur Gerkis (@ax330d) of Exodus Intelligence targeting Microsoft Edge. He used a double free in the render and logic bug to bypass the sandbox. This effort earned him $50,000 and 5 Master of Pwn points.
Day 3 at the Pwn2Own Vancouver 2019 (Tesla Model 3)
The third day of the event that was dedicated to automotive hacking saw the Fluoroacetate team successfully exploiting the infotainment system (Chromium) on the Tesla Model 3 via its browser. They managed to display a message on the car’s web browser by exploiting JIT bug in the browser renderer process. The duo received a $35,000 reward, along with the Tesla car they hacked.
“In the coming days we will release a software update that addresses this research,” a Tesla spokesperson told ZDNet today in regards to the Pwn2Own vulnerability. “We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”
Team Fluoroacetate with a total of 36 points and $375,000 USD in prizes won the title of ‘Master of Pwn’ for 2019. It is worth noting that the same team had won the title of ‘Master of Pwn’ for 2018 in Tokyo last year as well.
All the exploits and bugs showcased at Pwn2Own have been reported to vendors, which have been given 90 days to release patches. The details of the bugs will be made public by Trend Micro’s Zero Day Initiative (ZDI), the main organizer of the event, after 90 days.