Pwn2Own 2015: results
The second day of Pwn2Own ended with the successful exploitation of vulnerabilities in all claimed browsers: Google Chrome, Microsoft IE11, Apple Safari, Mozilla Firefox. Information about the first day of the competition we placed in the previous post, there was also indicated the used configuration of browsers and operating systems. Unlike the first day, this time the remote execution of the code was also demonstrated in the Google Chrome browser.
An update for the Mozilla Firefox browser that fixes the vulnerabilities shown in the contest has already been released to users. Updates for other browsers will come later. For two days of competition, the receivers managed to earn $ 557,500, and all the declared browsers and plugins for them were successfully cracked.
')
The funds paid for the second day of the competition were distributed as follows:
= $ 240K cash.
Competitors managed to circumvent the sandbox mechanism, which browsers use to isolate the processes of their tabs in the OS. An additional reward of $ 25K was paid for exploiting the vulnerability in Windows itself, which allowed the code to be executed at the maximum privilege level of SYSTEM ( full sandbox bypass ). In the case of IE11, the sandbox (EPM) mechanism was circumvented by introducing a special JavaScript fragment into the browser process, which allowed the code to be executed at the Medium Integrity Level (IL) level. In the case of Google Chrome, in addition to exploiting the RCE vulnerability itself, a LPE-exploit for Windows was demonstrated, which allowed elevating privileges in the system to the SYSTEM level. Researchers also managed to compromise the beta version of the browser.
On both days of the competition, the following product vulnerabilities were demonstrated:
This year, the level of operational complexity was increased, in addition to using 64-bit applications and OS, the regulations determined the presence of the MS EMET active tool in the system, which allows blocking a large number of techniques used by exploits in their work, including bypassing DEP & ASLR. As usual, the demonstrated vulnerabilities and exploits to them should be previously unknown (0day) and should not have been publicly disclosed before the contest.
An update for the Mozilla Firefox browser that fixes the vulnerabilities shown in the contest has already been released to users. Updates for other browsers will come later. For two days of competition, the receivers managed to earn $ 557,500, and all the declared browsers and plugins for them were successfully cracked.
')
The funds paid for the second day of the competition were distributed as follows:
- Mozilla Firefox x 1 = $ 15K
- MS IE11 x 1 = $ 65K
- Google Chrome x 1 = $ 75K + 25K (sandbox bypass, SYSTEM) + $ 10K (beta version exploitation) = $ 110K
- Apple Safari x 1 = $ 50K
= $ 240K cash.
Competitors managed to circumvent the sandbox mechanism, which browsers use to isolate the processes of their tabs in the OS. An additional reward of $ 25K was paid for exploiting the vulnerability in Windows itself, which allowed the code to be executed at the maximum privilege level of SYSTEM ( full sandbox bypass ). In the case of IE11, the sandbox (EPM) mechanism was circumvented by introducing a special JavaScript fragment into the browser process, which allowed the code to be executed at the Medium Integrity Level (IL) level. In the case of Google Chrome, in addition to exploiting the RCE vulnerability itself, a LPE-exploit for Windows was demonstrated, which allowed elevating privileges in the system to the SYSTEM level. Researchers also managed to compromise the beta version of the browser.
On both days of the competition, the following product vulnerabilities were demonstrated:
- 5 vulnerabilities in Windows;
- 4 vulnerabilities in IE11;
- 3 vulnerabilities in Firefox;
- 3 vulnerabilities in Adobe Reader;
- 3 vulnerabilities in Adobe Flash;
- 2 vulnerabilities in Apple Safari;
- 1 Chrome vulnerability.
The most current version of the Mitigation Experience Toolkit is fully enabled . Unknown, unpublished, and previously reported to the vendor.
This year, the level of operational complexity was increased, in addition to using 64-bit applications and OS, the regulations determined the presence of the MS EMET active tool in the system, which allows blocking a large number of techniques used by exploits in their work, including bypassing DEP & ASLR. As usual, the demonstrated vulnerabilities and exploits to them should be previously unknown (0day) and should not have been publicly disclosed before the contest.
Source: https://habr.com/ru/post/253727/
All Articles