Security researchers were able to successfully exploit Microsoft Edge, Apple Safari and Oracle’s VirtualBox technologies at the first day of the Pwn2Own security contest on March 14 and were awarded a total of $162,000 for their efforts.
In total, there were four exploit attempts made by security researchers on day one of Pwn2Own 2018, which is being held at the CanSecWest conference in Vancouver, British Columbia. Two of the attempts were considered to be successful, one a partial success and one failed.
The partial success came from security researcher Niklas Baumstark from the phoenhex team for an exploit against the VirtualBox virtualization technology. Baumstark was awarded $27,000 for his exploit attempt that used an out-of-bound memory read in combination with a time-of-check to time-of-use (toctou) memory bug.
“It didn’t completely comply with the Pwn2Own rules for this category, so it was considered a partial success,” Brian Gorenc, director at the Trend Micro Zero Day Initiative, which operates Pwn2Own, told eWEEK.
Among the interesting elements of Baumstark’s VirtualBox attack was the use of the toctou bug. Gorenc noted that the toctou bugs aren’t very common vulnerabilities in the ZDI program overall.
Aside from operating the annual Pwn2Own event, ZDI is in the business of acquiring valid software vulnerabilities from security researchers year round. VirtualBox was a new addition to the Pwn2Own target list for the 2018 event, though ZDI has had an interest in the technology for some time.
“In recent months, we have purchased several VirtualBox vulnerabilities that have been patched in the January 2018 update,” Gorenc said.
Baumstark’s phoenhex colleague Samuel Grob also participated in the first day of the Pwn2Own 2018 event, taking aim at Apple’s macOS and Safari. Grob was able to chain three bugs together to exploit the Apple system and was awarded $65,000 for his efforts.
The biggest win of the day came from security researcher Richard Zhu, who earned $70,000 for exploiting the Microsoft Edge browser. Zhu’s attempt initially failed, but he was able to rework his exploit chain, which included two use-after-free (UAF) memory vulnerabilities in the browser in combination with an integer overflow in the Windows kernel. Gorenc noted that it’s rare to see a researcher rework an exploit in front of a crowd.
“Luckily for Zhu, he had done enough research beforehand to understand where the issue took place and could fix it on the fly during the attempt,” he said.
Microsoft is also a sponsor of the 2018 Pwn2Own event and the original plan was to have a specific target called the Windows Insider Preview challenge that was going to take aim at prerelease Microsoft software.
“Unfortunately, we didn’t have any contestants take on this particular challenge this year,” Gorenc said. “We hope to continue partnering with Microsoft in future events to hopefully see this happen next time.”
In addition to the Windows Insider Challenge, there are also multiple other targets that security researchers are not attacking at Pwn2Own 2018, including Chrome, Apache HTTP, Nginx and VMware.
“We had people originally registered for additional targets, including Chrome, that either were unable to attend the contest or did not successfully complete the contestant registration process,” Gorenc said. “Some of these targets are relatively new to the contest and require additional time for researchers to find vulnerabilities and develop exploitation techniques for those platforms.”
Pwn2Own 2018 continues on March 15 with researchers set to attack Apple’s Safari and Mozilla’s Firefox web browsers.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.