Technology Security, VR World

No Browser Was Safe at Pwn2Own 2015

Every year at the CanSecWest security conference in Vancouver, Hewlett-Packard (NYSE: HPQ) runs the Pwn2Own hacking competition where big cash prizes are delivered for browser exploits.

This year no browser proved to be unhackable. The big winner of the contest was South Korean security researcher JungHoon Lee, who developed exploits for Internet Explorer and Chrome on Windows as well as Safari on OSX. For that, he walked away with $225,000 in cash.

Lee’s attack on Chrome exploits a buffer overflow race condition in Chrome, then uses an info leak and race condition in two Windows kernel drivers to get SYSTEM access according to HP’s Security Research blog. This attack bypasses the anti-exploit mechanisms included in Chrome, such as sandbox and address space layout randomization which has made the browser one of the more secure browsers.

“With all of this, lokihardt managed to get the single biggest payout of the competition, not to mention the single biggest payout in Pwn2Own history: $75,000 USD for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM, and another $10,000 from Google for hitting the beta version for a grand total of $110,000,” Pwn2Own organizers wrote in a blog post. “To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration.”

Lee also demonstrated a viable Internet Explorer 11 attack. This attack bypassed Internet Explorer’s sandbox through something called a time-of-check to time-of-use (TOCTOU) vulnerability, which allows for elevated execution of Java Script. This earned Lee another $65,000.

Finally, Lee demonstrated an exploit for Safari with a use-after-free (UAF) vulnerability in an uninitialized stack pointer in the browser and bypassed the sandbox for code execution.

Firefox was hacked on the first day of the contest using via a out-of-bounds read/write vulnerability leading to medium-integrity code execution vulnerability.

All of the exploits were disclosed to the vendors after the conference. The vendors will be given time to patch the exploits before the code is released to the public.