Hackers took down Adobe Reader, Apple Safari, Microsoft Edge, and Ubuntu Linux over the course of 11 hours on Wednesday, the first day of Pwn2Own, the annual hacking competition held in tandem with the CanSecWest conference in Vancouver.
Contestants with the Chinese security firm Qihoo 360 were the first to strike; exploiting a heap overflow in the way Reader parsed JPEG200, an image compression standard and coding system used by software.
Hackers combined the heap overflow with a Windows kernel information leak and a remote code execution vulnerability in the Windows kernel to earn $50,000. The attack would be the first of two to be carried out against Reader on the day. Later in the afternoon hackers working with Tencent Security used an info leak bug and a use-after-free bug to achieve code execution. They followed that up with leveraging another use-after-free in the kernel to gain SYSTEM-level privileges, earning $25K.
Another group of hackers working with Tencent, Team Ether, broke Microsoft Edge earlier in the day. The bug they found earned the group the largest payout of the day, $80,000 and was tied to an arbitrary write in Chakra core and a logic bug that escaped the sandbox. Chakra is the JavaScript engine that powers Edge and other Windows apps written in HTML, CSS, and JS.
Hackers with another China-based group, Chaitin Security Research Lab, took down both Ubuntu Linux and Apple’s Safari browser, in two attempts on Wednesday. The Linux bug was a heap out-of-bound access bug in the Linux kernel which earned the group $15,000.
The Safari bug was a little more involved. The group had to chain together six different bugs, including an information disclosure in Safari, four different type confusion bugs in the browser, and a use-after-free in WindowServer – a component that manages requests between OS X apps and the machine’s graphics hardware – to carry it out. The group was able to achieve root access on macOS through the exploit and earn $35,000.
Wednesday’s other Safari hack, like Chaitin’s, involved chaining together multiple Apple bugs. Two German hackers, Samuel Groß and Niklas Baumstark, Capture the Flag players from the Karlsruhe Institute of Technology, got partial credit for hacking the browser early on the first day.
The two were able to broadcast a special message across a MacBook Pro’s Touch Bar by chaining together five bugs, a use-after-free in Safari, three logic bugs and a null pointer dereference, something which allowed them to elevate to root in macOS. Apple has apparently already fixed the use-after-free in a beta version of Safari, hence the partial credit.
Two groups withdrew attacks planned against Windows and Edge on Wednesday, mounting speculation over whether Microsoft’s delayed Patch Tuesday updates broke attack vectors the entrants were planning on using.
Unlike last year, when it was partially broken, it appears Google Chrome will emerge from this year’s Pwn2Own unscathed. There are currently no exploits scheduled against the browser for the competition’s second day today. Tencent’s Team Sniper attempted to break the browser with a SYSTEM-level escalation hack yesterday but couldn’t complete their exploit chain in time.
Given the large number of entrants – 17 – the competition’s sponsors, Trend Micro and Zero Day Initiative, are splitting Pwn2Own’s second day into two tracks. Attacks against Mozilla’s Firefox, both Microsoft Windows and Edge, Apple’s macOS and Safari, and Adobe Flash are on tap for Thursday.
