Hewlett-Packard’s Zero Day Initiative (ZDI) kicked off its annual Pwn2Own browser hacking challenge on March 18 at the CanSecWest security conference in Vancouver, British Columbia, and the big target on the event’s first day was Adobe. Multiple new zero-day vulnerabilities found in Adobe products were publicly demonstrated, and Mozilla’s Firefox and Microsoft’s Internet Explorer 11 Web browsers were exploited as well.
HP awarded a total of $317,500 in prize money to researchers for their disclosures.
The Pwn2Own browser hacking challenge is an annual event in which security researchers attempt to exploit modern Web browsers with previously undisclosed vulnerabilities. HP pays security researchers different amounts depending on the target browser and technology.
The first group to win on Pwn2Own 2015’s first day identified itself as “Team509 and Keen Team” and was awarded $60,000 for successfully exploiting Adobe Flash. HP also awarded the group an additional $25,000 for the successful demonstration of an escalation privilege flaw.
In an interview with eWEEK prior to the event, Brian Gorenc, manager of vulnerability research for HP Security research, said that for this year’s Pwn2Own contest, ZDI is offering researchers a $25,000 bonus for system-level code execution exploits. System-level exploits represent another way to escape the sandbox of the target browser, but to do so they will need to leverage a vulnerability in Windows, he said.
In a tweet, ZDI commented that Team509 and Keen Team were able to bypass all defensive measures by leveraging a memory heap overflow remote code execution and local privilege escalation issue in the Microsoft kernel.
Keen Team also teamed up with a group identified as Tencent PCMgr for the successful exploitation of Adobe Reader. HP awarded them $30,000 for the Reader exploit, with an additional $25,000 for an escalation privilege bug. ZDI commented that the Keen Team and Tencent PCMgr group were able to exploit Reader with an integer overflow and TTF (True Type Font) pool corruption.
Security researcher Nicolas Joly was also able to successfully exploit both Adobe Flash and Adobe Reader. HP awarded Joly $30,000 for the Flash exploit and $60,000 for the Reader exploit. The Flash exploit was a use-after-free (UAF) memory flaw that enabled remote code execution. The Adobe Reader issue was a stack buffer overflow issue that led to remote code execution.
All told, HP paid out $230,000 for successful exploits against Adobe products. Adobe spokesperson Heather Edell said that Adobe representatives are onsite at Pwn2Own to get the full disclosure on the vulnerabilities from HP.
“We always appreciate working with the security community at Pwn2Own, and this year is no different,” Edell told eWEEK. “We continue to evolve our security processes accordingly as part of our ongoing security efforts to help ensure the security of our customers.”
All disclosures at Pwn2Own are reported privately to the impacted vendor and are not immediately made public. Edell noted that as soon as Adobe receives a proof of concept of the vulnerabilities, the company initiates its security incident response process. She added that Adobe is not currently aware of any exploits in the wild around the issues demonstrated at Pwn2Own 2015.
“As soon as a determination has been made on timing for a fix, we will provide an update,” Edell said.
While Adobe was a key target on the first day of Pwn2Own 2015, it wasn’t the only target. Security researcher Mariusz Mlynski was able to successfully exploit Mozilla Firefox with a cross-origin vulnerability paired with a privilege escalation bug. Mlynski was awarded $30,000 for the Firefox vulnerability, with an additional $25,000 for the privilege flaw.
The final flaw disclosed on the first day of Pwn2Own 2015 was an exploit demonstrated by the 360Vulcan Team against 64-bit Microsoft Internet Explorer 11. HP awarded the team $32,500 for the exploit, which involved an uninitialized memory vulnerability.
The second day of Pwn2Own 2015 will likely see more exploits revealed. Researchers are scheduled to take on Mozilla Firefox, Microsoft IE 11, Google Chrome and Apple Safari at today’s event.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
