Pwn2Own 2015: first results
The first day of the well-known contest Pwn2Own 2015 ended , where participants were invited to demonstrate successful mechanisms for operating Remote Code Execution, as well as Local Privilege Escalation of vulnerabilities. This year, cash rewards were reduced, but the complexity was increased: 64-bit applications & OS were taken for the demonstration.
Participants were asked to remotely execute their code in browsers and in well-known plug-ins like Adobe Flash Player & Reader. 64-bit versions of Google Chrome, MS IE11 in sandbox (EPM) mode, Mozilla Firefox, Apple Safari, as well as the above-mentioned plug-ins Flash Player and Reader on IE11 in sandbox mode were chosen as browsers. As a result, successful operation befell all browsers declared on the first day.
')
This year, the rates were as follows (64-bit web browsers run on the latest up-to-date versions of MS Windows 8.1 x64, Apple OS X Yosemite). It is interesting to note that the plug-ins did not include well-known Oracle Java software.
The funds paid for the first day ($ 317,500) were distributed as follows:
= $ 317,500 cash.
Vulnerabilities like heap-overflow (HeapOv) and use-after-free (UAF) were used to exploit Flash Player, and the sandbox bypass and maximum SYSTEM rights in the system were provided through a vulnerability in Windows itself (Windows Kernel TrueType fonts) and the Flash isolation mechanism Player (Flash broker process). Another vulnerability in the processing of Windows core file fonts (TrueType Fonts, TTF) was used to bypass the sandbox mechanism when using Adobe Reader. In this case, we are talking about obvious vulnerabilities in the well-known win32k.sys driver.
An indicator of successful code execution in a browser is the launch of an innocuous Windows application called “calculator”. In this process is created as a child of the process of one of the browser tabs.
The software operation mechanism is governed by the Pwn2Own rules themselves and boils down to the following.
Thus, we are talking about a vulnerability in the software itself, which will allow remotely execute code in the system, as well as circumvent the known DEP & ASLR protection mechanisms. A different exploit may be involved in the exploitation process, usually for a vulnerability in the Windows kernel, which will help get the maximum SYSTEM rights and so on in the system. bypass the sandbox mechanism.
The Pwn2Own rules stipulate that all vulnerabilities used in the contest will be sent to vendors for the preparation of the corresponding fixes. They can then be publicly disclosed.
Participants were asked to remotely execute their code in browsers and in well-known plug-ins like Adobe Flash Player & Reader. 64-bit versions of Google Chrome, MS IE11 in sandbox (EPM) mode, Mozilla Firefox, Apple Safari, as well as the above-mentioned plug-ins Flash Player and Reader on IE11 in sandbox mode were chosen as browsers. As a result, successful operation befell all browsers declared on the first day.
')
This year, the rates were as follows (64-bit web browsers run on the latest up-to-date versions of MS Windows 8.1 x64, Apple OS X Yosemite). It is interesting to note that the plug-ins did not include well-known Oracle Java software.
- Google Chrome: $ 75,000.
- MS Internet Explorer 11 in sandbox (EPM) mode: $ 65,000.
- Mozilla Firefox: $ 30,000.
- Adobe Reader on IE11 sandbox (EPM): $ 60,000.
- Adobe Flash Player (64-bit) on IE11 sandbox (EPM): $ 60,000.
- Apple Safari: $ 50,000.
The funds paid for the first day ($ 317,500) were distributed as follows:
- Adobe Flash Player x 2 = $ 60K + $ 25K (sandbox bypass) + $ 30K = $ 115K
- Adobe Reader x 2 = $ 60K + $ 30K + $ 25K (sandbox bypass) = $ 115K
- Mozilla Firefox x 1 = $ 30K + $ 25K (sandbox bypass) = $ 55K
- MS IE11 x 1 = $ 32.5K
= $ 317,500 cash.
Vulnerabilities like heap-overflow (HeapOv) and use-after-free (UAF) were used to exploit Flash Player, and the sandbox bypass and maximum SYSTEM rights in the system were provided through a vulnerability in Windows itself (Windows Kernel TrueType fonts) and the Flash isolation mechanism Player (Flash broker process). Another vulnerability in the processing of Windows core file fonts (TrueType Fonts, TTF) was used to bypass the sandbox mechanism when using Adobe Reader. In this case, we are talking about obvious vulnerabilities in the well-known win32k.sys driver.
An indicator of successful code execution in a browser is the launch of an innocuous Windows application called “calculator”. In this process is created as a child of the process of one of the browser tabs.
The software operation mechanism is governed by the Pwn2Own rules themselves and boils down to the following.
In the case of a court of law, it is recommended that There are also ways to ensure that there is a need for data such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and application sandboxing. The resulting payload should be executing in an elevated context (for example, on Windows-based targets, Medium integrity level or higher).
Thus, we are talking about a vulnerability in the software itself, which will allow remotely execute code in the system, as well as circumvent the known DEP & ASLR protection mechanisms. A different exploit may be involved in the exploitation process, usually for a vulnerability in the Windows kernel, which will help get the maximum SYSTEM rights and so on in the system. bypass the sandbox mechanism.
The Pwn2Own rules stipulate that all vulnerabilities used in the contest will be sent to vendors for the preparation of the corresponding fixes. They can then be publicly disclosed.
Source: https://habr.com/ru/post/253557/
All Articles