Mobile Pwn2Own 2014: results
A few days ago, the famous contest Mobile Pwn2Own 2014 , which was held in Tokyo, ended. Vulnerability vulnerabilities from security companies were proposed to demonstrate successful exploitation of vulnerabilities on known mobile devices, including Apple iPhone 5s & iPad Mini, Amazon Fire Phone, BlackBerry Z30, Google Nexus 5 & 7, as well as Nokia Lumia 1520 and Samsung Galaxy S5. Successful exploitation of vulnerabilities should lead to remote code execution in the mobile OS via a browser or gain control of the device through the embedded application / OS itself (iOS, Fire OS, BlackBerry OS, Android, Windows Phone). All OS came with the most current updates ( fully patched ).
So, for remote code execution through a browser or through the OS itself (with full access to the OS in all cases) $ 50K was offered, for the same but at the level of Bluetooth, Wi-Fi and Near Field Communication (NFC) services - $ 70K . One of the main difficulties in the demonstration of the exploit was the so-called. full sandbox escape , i.e., bypassing the OS restrictions that are imposed on the mobile application that is to be exploited, which does not allow you to remotely execute the code even if the vulnerability itself is in the code, for example, a browser. To bypass this security mechanism, as a rule, auxiliary OS vulnerabilities like Elevation of Privelege are used , which help to get maximum rights in the system.
')
On the first day of the competition , all the claimed devices were successfully pwnage. The famous South Korea songwriter under the pseudonym lokihardt @ ASRT demonstrated the successful execution of the code through the Safari browser, with full access to the operating system on the Apple iPhone 5S. Thus, he managed to find an RCE vulnerability in Safari, as well as bypass its iOS sandbox ( full Safari sandbox escape ). A similar situation occurred with the Samsung Galaxy S5, it was pwnage from the first attempt by the receivers from the Team MBSD team. Getting control over the OS occurred through the NFC service. Total for the first day were hacked:
At the end of the second day of the competition, the security sandbox mechanism resisted on Windows Phone 8 (Nokia Lumia 1520). The VUPEN team was able to demonstrate the success of the RCE-exploit, that is, the exploitation of the vulnerability in IE, and get some information about the user's work, the cookie database. However, the sandbox mechanism was not circumvented, which prevented it from gaining full access to the Windows Phone environment ( partial pwnage ).
The same fate touched another supervisor Jüri Aedla, who demonstrated partial pwnage of the Wi-Fi service on Android on Google Nexus 5. He was unable to capture full access over the device, because the exploit could not bypass sandboxing on Android.
According to the rules of the competition, vulnerabilities demonstrated by resellers are immediately sent to the respective vendors for their analysis and release of the corresponding update.
So, for remote code execution through a browser or through the OS itself (with full access to the OS in all cases) $ 50K was offered, for the same but at the level of Bluetooth, Wi-Fi and Near Field Communication (NFC) services - $ 70K . One of the main difficulties in the demonstration of the exploit was the so-called. full sandbox escape , i.e., bypassing the OS restrictions that are imposed on the mobile application that is to be exploited, which does not allow you to remotely execute the code even if the vulnerability itself is in the code, for example, a browser. To bypass this security mechanism, as a rule, auxiliary OS vulnerabilities like Elevation of Privelege are used , which help to get maximum rights in the system.
')
On the first day of the competition , all the claimed devices were successfully pwnage. The famous South Korea songwriter under the pseudonym lokihardt @ ASRT demonstrated the successful execution of the code through the Safari browser, with full access to the operating system on the Apple iPhone 5S. Thus, he managed to find an RCE vulnerability in Safari, as well as bypass its iOS sandbox ( full Safari sandbox escape ). A similar situation occurred with the Samsung Galaxy S5, it was pwnage from the first attempt by the receivers from the Team MBSD team. Getting control over the OS occurred through the NFC service. Total for the first day were hacked:
- Apple iPhone 5S via Safari x 1 = $ 50K (lokihardt @ ASRT)
- Samsung Galaxy S5 via NFC x 2 = $ 150K (Team MBSD, MWR InfoSecurity)
- LG Nexus 5 via Bluetooth x 1 = $ 75K (Aperture Labs)
- Amazon Fire Phone via browser x 1 = $ 50K (MWR InfoSecurity)
At the end of the second day of the competition, the security sandbox mechanism resisted on Windows Phone 8 (Nokia Lumia 1520). The VUPEN team was able to demonstrate the success of the RCE-exploit, that is, the exploitation of the vulnerability in IE, and get some information about the user's work, the cookie database. However, the sandbox mechanism was not circumvented, which prevented it from gaining full access to the Windows Phone environment ( partial pwnage ).
The same fate touched another supervisor Jüri Aedla, who demonstrated partial pwnage of the Wi-Fi service on Android on Google Nexus 5. He was unable to capture full access over the device, because the exploit could not bypass sandboxing on Android.
According to the rules of the competition, vulnerabilities demonstrated by resellers are immediately sent to the respective vendors for their analysis and release of the corresponding update.
Source: https://habr.com/ru/post/243323/
All Articles