Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Pwn2Own Researchers Reveal Oracle, VMware, Apple Zero-Day Exploits

    By
    SEAN MICHAEL KERNER
    -
    March 21, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Pwn2Own 2019

      Day in and day out, vendors do their best to keep their software patched and free from zero-day vulnerabilities. Then along comes the annual Pwn2Own competition and within minutes, elite researchers are able to demonstrate new zero-day flaws.

      The first day of Pwn2Own 2019 on March 20 in Vancouver, Canada, saw researchers reveal new zero-day vulnerabilities in Apple Safari and macOS, as well as Oracle VirtualBox and VMware Workstation. Pwn2Own, which is operated by Trend Micro’s Zero Day Initiative (ZDI), rewards researchers with cash prizes for demonstrating new zero-day vulnerabilities during the live event. All told, researchers collected a total of $240,000 in awards for their efforts and there are still two more days left.

      A team known as Fluoroacetate, made up of researchers Amat Cama and Richard Zhu, was the big winner on day one, exploiting Apple Safari, Oracle VirtualBox and VMware Workstation, earning $160,000 for their day’s effort. In terms of how a single group was so successful, it has to do with circumstance and opportunity.

      “Part of it was luck of the draw, but mainly, they had many entries,” Dustin Childs, ZDI communications manager, told eWEEK. “We’ve seen this happen in the past with large teams, but not with a duo like them.”

      In years past, there had been broader participation from researchers from different geographies, including China. Researchers from China, however, are absent from Pwn2Own 2019. Childs noted that there have been regulatory changes in some countries that no longer allow participation in global exploit contests such as Pwn2Own and Capture the Flag competitions.

      Apple Exploits

      The Fluoroacetate team’s first target was a fully patched Apple macOS system running the Safari web browser. The researchers were able to exploit the browser using a bug class known as an integer overflow and then used a heap overflow bug to escape the macOS sandbox. Overflow bugs, whether in the heap or integer, involve a form of memory corruption or manipulation that enables an attacker to gain unauthorized access. ZDI awarded Fluoroacetate $55,000 for the full exploit chain.

      Fluoroacetate wasn’t the only group that targeted Apple. A pair of researchers identified as phoenhex & qwerty earned $45,000 for an exploit of Safari with a macOS kernel escalation.

      “It was a complete system compromise,” Childs said. “By browsing to their website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read—used twice—then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug.”

      Childs added that, unfortunately, it was only a partial win, since Apple already knew of one of the bugs used in the demo.

      Hypervisors

      Virtualization hypervisors were also on the target list for the first day of Pwn2Own 2019, with both Oracle VirtualBox and VMware Workstation falling to researchers.

      Fluoroacetate used an integer overflow and a race condition to escape the VirtualBox virtual machine to get unauthorized access to the underlying operating system. Fluoroacetate was also able to use a race condition bug to exploit VMware Workstation and get running code on the host operating system. According to Childs, Fluoroacetate didn’t use the same bug to exploit both VMware and Oracle.

      “The techniques are similar, but the bugs themselves are different,” he said.

      A race condition is a software defect whereby shared data is accessed by multiple concurrent threads without proper data access protection, which could lead to data loss, corruption or crashes. 

      Researcher Phạm Hồng Phi was also successful in being able to exploit Oracle VirtualBox, earning $35,000. Phi’s exploit used an integer underflow to gain access to the underlying operating system. With a virtualization hypervisor, a core fundamental component of the architecture is to isolate the virtual machine from the actual host operating system on which the hypervisor is running. What the Pwn2Own researcher was able to demonstrate is that they could escape the isolation.

      In years past, ZDI would only pay the first group of researchers who successfully exploited a target, but that’s not the case in 2019.

      “This year, we decided to pay full price for each successful demonstration—not just the first,” Childs said. “For both entries, the bugs reside in the VirtualBox hypervisor.”

      The ZDI policy is to privately disclose the new flaws to the impacted vendors, who will now have up to 120 days to patch the issues before a public disclosure is made. Pwn2Own 2019 continues on March 21, with researchers set to target the Mozilla Firefox and Microsoft Edge browsers.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×