Zero Initiative’s Pwn2Own – Hackers pwn Firefox, Edge, VirtualBox, macOS, & Safari

Posted on March 23, 2018 at 8:54 AM

Zero Initiative’s Pwn2Own – Hackers pwn Firefox, Edge, VirtualBox, macOS, & Safari

White hat hackers have received a lot of prizes at this year’s Pwn2own security conference. Flaws have been exposed in all manner of big-name platforms, including Mozilla, Apple Safari, and more. Organizers have awarded a total of $267,000 in prizes over the two-day contest.

The Pwn2own contest took place on March 14 and 15 and challenged white hats with a thirty-minute task. Hackers were challenged to exploit zero-day flaws in products developed by Apple, Microsoft, Mozilla, and Oracle.

Competitors of note

Richard Zhu, online handle fluorescence, was the first challenger to attempt hacking Apple’s Safari browser, on March 14. He used a sandbox escape to hack the browser but was unsuccessful within the thirty minute time frame. He then turned his attention to Microsoft Edge and was able to break in using two use-after-free flaws. He won $70k for his work at the conference that day. The next day, he turned on Mozilla’s Firefox and successfully hacked the browser using out-of-bounds read flaw vulnerability and an integer overflow in the Windows kernel. He was able to enter FireFox with elevated privileges. That hack earned him $50k more. Zhu was also the overall winner of the contest, which grants the title of Master of Pwn.

Samuel Gross, from the phoenhex team, also targeted the Safari browser on March 14. He used a JIT optimization bug. He paired the JIT with a macOS logic bug and a kernel overwrite and was able to successfully break into Safari. He earned $65k for his work on Apple’s browser.

Three hackers from Ret2 systems, Markus Gaasedelen, Nick Burnett and Patrick Biernat, took their shot at Safari with a macOS kernel EOP. It took the team four tries to exploit the browser, which unfortunately did not win them any prizes. The rules of the Pwn2own state that hackers have only three attempts to successfully hack a product.

Another team to test their mettle at Pwn2own was MWR Labs. Alex Plaskett, Georgi Geshev and Gabi Beterke attacked Safari with sandbox escape, like Zhu. Unlike the Master of Pwn, the team was successful in this gambit, because they were able to leverage a heap buffer underflow and an uninitialized stack variable in macOS. They won $55k for their efforts.

Sponsors and a mission for a better world

Pwn2own was held in Vancouver at CanSecWest, and invited hackers from around the globe to participate. The contest is sponsored by Trend Micro’s Zero Initiative. Findings made at the conference are reported to the vendors, in an effort to keep the web safer for us all.

Source: Hackread

Summary
Zero Initiative’s Pwn2Own - Hackers pwn Firefox, Edge, VirtualBox, macOS, & Safari
Article Name
Zero Initiative’s Pwn2Own - Hackers pwn Firefox, Edge, VirtualBox, macOS, & Safari
Description
White hat hackers have received a lot of prizes at this year’s Pwn2own security conference. Flaws have been exposed in all manner of big-name platforms, including Mozilla, Apple Safari, and more. Organizers have awarded a total of $267,000 in prizes over the two-day contest.
Author
Publisher Name
Koddos
Publisher Logo

Related Stories:

Newsletter

Get the latest stories straight
into your inbox!

YOUTUBE