Safari, Chrome and Flash Player hacked at Pwn2Own, some of them twice

[steven36]

Hackers take home $282,500 on the contest's first day

 

 

Security researchers exploited previously unknown vulnerabilities in Apple Safari, Google Chrome and Flash Player to compromise the latest versions of OS X and Windows during the first day of the annual Pwn2Own hacking contest.

 

On Wednesday, four teams and a researcher who competed on his own made six attempts to hack this year's targets: Safari running on OS X, Chrome running on Windows, Microsoft Edge running on Windows and Flash Player on Windows. Four attempts were successful, one was only partially successful and one failed.

 

The 360Vulcan Team from Chinese Internet security company Qihoo 360 combined a remote code execution vulnerability in Flash Player with a vulnerability in the Windows kernel to gain system privileges. For this feat, they received a US$80,000 prize, $60,000 for the Flash Player exploit and a $20,000 bonus for the system-level escalation.

 

Later in the day, the same team demonstrated a remote code execution attack against Google Chrome on Windows that members also managed to escalate to system. For that attack, they combined exploits for four vulnerabilities: one in Chrome, two in Flash and one in the Windows kernel.

 

The attack was considered only a partial win, because the Chrome flaw had previously been reported to Google by an independent researcher without the team's knowledge, so it didn't qualify as a zero-day. The team still won $52,500, putting their first-day payout at $132,500.

 

South Korean researcher JungHoon Lee, known in hacking circles as lokihardt, demonstrated a remote code execution attack against Apple Safari on OS X with an escalation to root privileges. He also combined four vulnerabilities, earning a $60,000 prize.

 

This year, Safari exploits are rewarded with $40,000, compared to $60,000 for Chrome and Microsoft Edge on Windows. The privilege escalation bonus of $20,000 is available for both Windows and OS X.

 

It's worth noting that during last year's edition of Pwn2Own, JungHoon Lee was the most successful contestant, taking home $225,000, almost half of the total payout.

 

He still has time to come on top this year, too, because he was scheduled to attempt attacks against Chrome and Microsoft Edge on Thursday, the contest's second day. Meanwhile, 360Vulcan Team, which is currently in the lead, has no other demonstrations scheduled.

 

Chinese Internet giant Tencent has three teams in the contest, with members from several of its subsidiaries.

 

During the first day, Tencent Security Team Shield demonstrated an attack against Safari to achieve root-level code execution. The exploit combined two vulnerabilities, one in Safari and one in another privileged process, and earned the team $40,000.

 

Meanwhile, Tencent Security Team Sniper demonstrated an attack against Flash Player on Windows that involved privilege escalation to system, for which the group received $50,000.

The third Tencent team, Xuanwu Lab, tried an exploit against Adobe Flash in Microsoft Edge, but it failed to work.

 

During the first day, security researchers won $282,500 and disclosed 15 previously unknown vulnerabilities. The exploits were shared with contest organizers from the Zero Day Initiative, which is now part of Trend Micro, and will be reported to the affected vendors. 

 

This year, the Pwn2Own contest is sponsored by Trend Micro and Hewlett Packard Enterprise and has a total prize pool around $600,000.

 

The Source

[jango]

teach me how to hack i like white hat

[pc71520]

 

[steven36]

Pawn2Own: Day 2 and Event Wrap-Up

 

The second and final day of the 2016 Pwn2Own competition wrapped up today.

 

By the afternoon an already exciting competition shifted into high-gear when two attempts failed in a row (a Pwn2Own first) and the top prize of Master of Pwn came down to the success or failure of the last attempt of the event by Tencent Security Team Sniper (KeenLab and PC Manager). After only two minutes, their demonstration succeeded making them the Master of Pwn for Pwn2Own 2016 with 38 Master of Pwn points and US$142,500. JungHoon Lee tied for second with 25 Master of Pwn points and US$145,000. 360Vulcan Team also tied for second with 25 Master of Pwn points and US$132,500. Tencent Security Team Shield came in fourth with 10 Master of Pwn points and US$40,000. All total, 98 Master of Pwn Points and US$ 460,000 were earned by these four teams.

 

Overall the event was very successful. It was the largest event in the history of Pwn2Own and resulted in 21 new vulnerabilities. For a full breakdown, see “Pwn2Own 2016 in Numbers” below.

 

As fun as the Pwn2Own competition is, ultimately it is serious business about understanding the current threats and weaknesses. This year’s competition succeeds in that regard. While it’s easy to focus on the state of browser security as shown at Pwn2Own, the real, important, technical story is about the state of kernel security. EVERY successful attack achieved SYSTEM or root privileges. This is a Pwn2Own first. It’s also a very worrying development. As ZDI researcher Jasiel Spelman noted, researchers and attackers are likely focusing on the kernel in response to advances in sandboxing. It’s a truism in security that when you harden one area, attackers and researchers will move their attention to another one. Based on Pwn2Own 2016, it appears that’s happening with a shift to focus on the kernel. This is also borne out by what we’re seeing in Linux lately: while Linux is outside the focus of Pwn2Own, we’ve seen a number of Linux kernel issues lately.

 

Hopefully, operating system vendors and maintainers will hear the message and give a renewed focus to the security of their kernels. This trend is likely to continue into the future.

Meanwhile, Pwn2Own 2016 has been a great event to kick off TippingPoint, ZDI and DVLabs joining Trend Micro.

 

 

 

Pwn2Own 2016 in Numbers:

Total prizes awarded:

	Master of Pwn Points: 98 Cash: US$ 460,000

Number of Attempts:

	Fully Successful: 7 (64%) Partially Successful: 1 (9%) Failed: 3 (27%)

Number of Successful Attempts Against:

	Apple Safari: 3/3 (100% Success) Microsoft Edge: 2 /2 (100% Success) Adobe Flash: 4/5 (75% Success) Google Chrome: .5/2 (25% Success) NOTE: The actual vulnerability in Google Chrome had already been independently reported to Google; this is counted a partial success)

Percentage of Successful or Partially Successful attacks that achieved SYSTEM or root privilege: 100%

 

Contestant Success Standings:

	Tencent Security Team Sniper (KeenLab and PC Manager): 3/3 (100% Success) 360Vulcan Team: 1.5/2 (75% Success) JungHoon Lee (lokihardt): 2/3 (66% Success) Tencent Security Team Shield (PC Manager and KeenLab): 1/2 (50% Success) Tencent Xuanwu Lab: 0/1 (0% Success)

Awards:

	Most Master of Pwn Points Awarded in a Single Attempt: 15 – JungHoon Lee (lokihardt) against Microsoft Edge in the SYSTEM context and Tencent Security Team Sniper (KeenLab and PC Manager) against Microsoft Edge in the SYSTEM context. Biggest Cash Prize Awarded in a Single Attempt: US$85,000 JungHoon Lee (lokihardt) against Microsoft Edge in the SYSTEM context.

Number of new vulnerabilities:

	Microsoft Windows: 6 Apple OS X: 5 Adobe Flash: 4 Apple Safari: 3 Microsoft Edge: 2 Google Chrome: 1 (a duplicate of a previous, independently reported vulnerability) Total: 21

Total number of new browser vulnerabilities: 6

Total number of new kernel vulnerabilities: 6

 

Day 2 Details:

Tencent Security Team Sniper (KeenLab and PC Manager): Demonstrated a successful code execution attack against Safari to gain root privileges using an use-after-free vulnerability in Safari and an out-of-bounds vulnerability in Mac OS X. This demonstration earned them 10 Master of Pwn Points and US$40,000. JungHoon Lee (lokihardt): Demonstrated a successful code execution attack against Microsoft Edge in the SYSTEM context using an uninitialized stack variable vulnerability in Microsoft Edge and a directory traversal vulnerability in Microsoft Windows to get SYSTEM privilege. This demonstration earned him 15 Master of Pwn points and US$85,000. JungHoon Lee (lokihardt): Attempted to demonstrate a code execution attack against Google Chrome. This attempt failed. Tencent Security Team Shield (PC Manager and KeenLab): Attempted to demonstrate a code execution attack against Adobe Flash in SYSTEM context. This attempt failed. Tencent Security Team Sniper (KeenLab and PC Manager): Demonstrated a successful code execution vulnerability against Microsoft Edge in the SYSTEM context using an out-of-bounds vulnerability in Microsoft Edge and a buffer overflow vulnerability in the Kernel. This demonstration earned them 15 Master of Pwn points and US$52,500.   The Source

[vibranium]

On the first day of the browser-hacking event, $282,500 in prize money was awarded. Researchers exploited vulnerabilities in Chrome, Flash and Safari.

 

The annual Pwn2own browser-hacking competition at the CanSecWest conference in Vancouver, Canada, started March 16 with $282,500 awarded in first-day prizes.

 

Hewlett Packard Enterprise and Trend Micro are jointly sponsoring this year's Pwn2own event. As part of the first day, a group of researchers identified as the 360Vulcan Team were the big winners, walking away with $132,500 in prize money for exploiting Adobe Flash and Google Chrome. The Flash exploit made use of a type confusion bug in Adobe Flash as well as a vulnerability in Microsoft's Windows 10.

 

"The [Windows] kernel vulnerability was a use-after-free vulnerability," Christopher Budd,  global threat communications manager at Trend Micro, told eWEEK. "They successfully chained both of these to compromise the target at the system level."

 

For the Flash and Windows chained exploit, the 360Vulcan Team received $80,000. The second exploit demonstrated by 360Vulcan Team was against Google's Chrome and made use of four new zero-day vulnerabilities, two use-after-free vulnerabilities in Adobe Flash, one use-after-free vulnerability in the Windows Kernel and an out-of-bounds vulnerability in Google Chrome. For the Chrome exploit, 360Vulcan Team was awarded $52,500.
 
Independent security researcher JungHoon Lee earned $60,000 on the first day of Pwn2own 2016 by exploiting Apple's Safari browser. Lee found four vulnerabilities in total, including issues in Safari as well as Apple's OS X desktop operating system.

 

"One of the vulnerabilities was in Safari, the other three were vulnerabilities within Mac OS X," Budd said.

 

Chinese corporation Tencent is well-represented at Pwn2own 2016, with three teams competing -- Sniper, Shield and Xuanwu. Tencent's Team Sniper earned $50,000 on the first day of Pwn2own by successfully demonstrating a new attack against Adobe Flash that exposed a new out-of-bounds vulnerability in Flash and a use-after-free vulnerability in Windows.

 

Tencent's Team Shield's attention was on Apple's Safari, where the group was able to find three new vulnerabilities. One of the vulnerabilities is a use-after-free memory issue in Safari while the other is in a Mac OS X privileged process. For their efforts in attacking Safari on OS X, Tencent's Team Shield was awarded $40,000.

 

Day Two of Pwn2own 2016 includes Tencent's Team Sniper taking another shot at exploiting Apple's Safari. JungHoon Lee will be attempting to exploit the Microsoft Edge browser as well as Google Chrome. Tencent's Team Shield will use the second day of Pwn2own to attempt to exploit Microsoft Edge as well.

 

One target that isn't being attempted by security researchers is VMware Workstation. As part of the contest, there is an award for a researcher who is able to execute a hypervisor escape from the VMware Workstation virtual machine on which the Windows-based browsers will be running.  Budd isn't surprised that no researcher has decided to try and attack VMware Workstation.

 

"It's a new vector for attack, and one that can be particularly challenging," Budd said. "Given the amount of time required for adequate research, it's not surprising that no one has signed up this year. However, we do expect to see people sign up for this next year."

 

 

 

ARTICLE SOURCE

 

 

[Batu69]

Thread has been merged.

[oliverjia]

All Chinese / Korean?

[CODYQX4]

3 hours ago, oliverjia said:

All Chinese / Korean?

Regulations/Agreements (Concerning security research/disclosure) have hung US and EU from what I hear, many Asian countries didn't sign up for that shit.

[steven36]

14 hours ago, CODYQX4 said:

Regulations/Agreements (Concerning security research/disclosure) have hung US and EU from what I hear, many Asian countries didn't sign up for that shit.

That's  the way the west operates now they want to take us back to the time before the internet  were the news came out and in a week it was forgotten . The Government wants you to trust them with cyber security when they also write malware too. The governments dont write the software we use vendors do. They just backdoor our software just like the independent  hackers do.  Just state hackers  use it to spy and steal state secrets and to convect people  . the independent  hackers use to steal money and to protest . 2 wrongs dont make a right . Its a battle of two evils . And they want let you know about the evil tell up to 90days after its a fact the exploit exist  a lot can happen in 90 days.  This shows how good hiding a  exploit does.

 

Quote

Google Chrome: 1 (a duplicate of a previous, independently reported vulnerability)

This other person  figured out the exploit  and didn't know about it yet. That shows they can hide the fact its not patched yet and some other hacker can figure it out and put it in the wild anyways .

[pc71520]

 

[pc71520]

http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/