Three gentlemen earned a total of $162,000 on day one of Pwn2Own. Put another way, Zero Day Initiative (ZDI) paid out $162,000 for three Apple bugs, two Oracle bugs, and three Microsoft bugs as Pwn2Own contestants targeted Microsoft Edge, Apple Safari, and Oracle VirtualBox.
Contestants are allowed three attempts within 30 minutes to demonstrate their exploit. Only three people competed on day one of the 11th annual Pwn2Own contest, being held during the CanSecWest 2018 Conference in Vancouver, British Columbia. The order of contestants attempting pwnage is decided by a drawing.
Up first was Richard Zhu (@fluorescence). He targeted Apple Safari with a sandbox escape, but he wasn’t able to get his exploit chain to work within 30 minutes. Nevertheless, ZDI called the bugs he used “interesting” and purchased the exploits through the ZDI program.
Apparently Zhu wasn’t rattled at all, as he competed immediately again and put the hurt to Microsoft Edge. Within 30 minutes, his first attempt failed; his second attempt almost succeeded, but then the dreaded blue screen of death popped up as his shell started. ZDI noted that Zhu “brought a flair for the dramatic with him.” He succeeded on his third attempt with only one minute and 37 seconds left on the clock.
“In the end, he used two use-after-free (UAF) bugs in the browser and an integer overflow in the kernel to successfully run his code with elevated privileges. The dramatic effort earned him $70,000 and 7 points towards Master of Pwn.”
Niklas Baumstark (@_niklasb) was up next, and he targeted Oracle VirtualBox. ZDI wrote, “Apparently not one for added intrigue, his exploit immediately popped not one, but three different calcs to indicate success. His demonstration qualified as a partial success as he used an Out-of-Bounds (OOB) read and a Time of Check-Time of Use (toctou) to still earn him $27,000 and 3 Master of Pwn points.”
Samuel Groß (@5aelo), the last contestant on Pwn2Own day one, targeted Apple Safari. By the time he was done, Safari had fallen and “pwned by saelo =)” appeared in green text on the MacBook Pro’s Touch Bar. ZDI noted, Groß “used a combination of a JIT optimization bug in the browser, a macOS logic bug to escape the sandbox, and finally a kernel overwrite to execute code with a kernel extension to successfully exploit Apple Safari. This chain earned him $65,000 and 6 points towards Master of Pwn.”
Microsoft patches cause contestants to withdraw
There had been more contestants ready to roll, but some had to withdraw at the last minute from the competition — and some of those withdrew due to the 75 security patches released by Microsoft the day before.
As Trend Micro put it, “We never know what will happen when we arrive at the contest. Whether or not Pwn2Own falls near or right after a Microsoft Patch Tuesday, many vendors will make it a point to issue patches ahead of the contest. So, for example, if a contestant happens to be working on a Microsoft vulnerability, their entry could be thwarted by Microsoft’s updates. A couple of the entries that were withdrawn this year fell ‘victim’ to vendors issuing patches.”
ZDI took a look at three of Microsoft’s “more interesting patches.”
- CVE-2018-0886: Credential Security Support Provider protocol (CredSSP) remote code execution bug which could allow man-in-the-middle attacks with Remote Desktop sessions.
- CVE-2018-0940: Escalation of privilege vulnerability in Exchange Outlook Web Access which failed to sanitize links for users, allowing a phishing attacker to replace a real OWA interface with a fake OWA login page.
- CVE-2018-0868: Elevation of privilege bug in Windows Installer – the type of bug which is “often used by malware authors to ‘piggyback’ their malicious code on top of innocuous code. It’s always easier to convince someone to install ‘GreatNewGame.exe’ instead of ‘EvilMalware.exe’.”
Microsoft partners with ZDI
Speaking of Microsoft, the Redmond giant partnered with ZDI this year and was a VMware sponsor. Microsoft said in a blog post, “Exploit contests are great opportunities as it allows Microsoft engineers to exchange ideas face-to-face with the community. This includes intricate details such as attack approaches, techniques used, and opportunities for improvement against similar attacks. While bug bounty programs focus on vulnerabilities, contests like PWN2OWN focus on exploit chains which typically are only seen in real attacks.”
Today, on day two of Pwn2Own, two teams are targeting Safari — one attempt with a macOS kernel EoP, and one with a sandbox escape. Zhu will target Mozilla’s Firefox with a Windows kernel EoP.