Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Pwn2Own Researchers Reveal Oracle, VMware, Apple Zero-Day Exploits

    By
    Sean Michael Kerner
    -
    March 21, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Pwn2Own 2019

      Day in and day out, vendors do their best to keep their software patched and free from zero-day vulnerabilities. Then along comes the annual Pwn2Own competition and within minutes, elite researchers are able to demonstrate new zero-day flaws.

      The first day of Pwn2Own 2019 on March 20 in Vancouver, Canada, saw researchers reveal new zero-day vulnerabilities in Apple Safari and macOS, as well as Oracle VirtualBox and VMware Workstation. Pwn2Own, which is operated by Trend Micro’s Zero Day Initiative (ZDI), rewards researchers with cash prizes for demonstrating new zero-day vulnerabilities during the live event. All told, researchers collected a total of $240,000 in awards for their efforts and there are still two more days left.

      A team known as Fluoroacetate, made up of researchers Amat Cama and Richard Zhu, was the big winner on day one, exploiting Apple Safari, Oracle VirtualBox and VMware Workstation, earning $160,000 for their day’s effort. In terms of how a single group was so successful, it has to do with circumstance and opportunity.

      “Part of it was luck of the draw, but mainly, they had many entries,” Dustin Childs, ZDI communications manager, told eWEEK. “We’ve seen this happen in the past with large teams, but not with a duo like them.”

      In years past, there had been broader participation from researchers from different geographies, including China. Researchers from China, however, are absent from Pwn2Own 2019. Childs noted that there have been regulatory changes in some countries that no longer allow participation in global exploit contests such as Pwn2Own and Capture the Flag competitions.

      Apple Exploits

      The Fluoroacetate team’s first target was a fully patched Apple macOS system running the Safari web browser. The researchers were able to exploit the browser using a bug class known as an integer overflow and then used a heap overflow bug to escape the macOS sandbox. Overflow bugs, whether in the heap or integer, involve a form of memory corruption or manipulation that enables an attacker to gain unauthorized access. ZDI awarded Fluoroacetate $55,000 for the full exploit chain.

      Fluoroacetate wasn’t the only group that targeted Apple. A pair of researchers identified as phoenhex & qwerty earned $45,000 for an exploit of Safari with a macOS kernel escalation.

      “It was a complete system compromise,” Childs said. “By browsing to their website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read—used twice—then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug.”

      Childs added that, unfortunately, it was only a partial win, since Apple already knew of one of the bugs used in the demo.

      Hypervisors

      Virtualization hypervisors were also on the target list for the first day of Pwn2Own 2019, with both Oracle VirtualBox and VMware Workstation falling to researchers.

      Fluoroacetate used an integer overflow and a race condition to escape the VirtualBox virtual machine to get unauthorized access to the underlying operating system. Fluoroacetate was also able to use a race condition bug to exploit VMware Workstation and get running code on the host operating system. According to Childs, Fluoroacetate didn’t use the same bug to exploit both VMware and Oracle.

      “The techniques are similar, but the bugs themselves are different,” he said.

      A race condition is a software defect whereby shared data is accessed by multiple concurrent threads without proper data access protection, which could lead to data loss, corruption or crashes. 

      Researcher Phạm Hồng Phi was also successful in being able to exploit Oracle VirtualBox, earning $35,000. Phi’s exploit used an integer underflow to gain access to the underlying operating system. With a virtualization hypervisor, a core fundamental component of the architecture is to isolate the virtual machine from the actual host operating system on which the hypervisor is running. What the Pwn2Own researcher was able to demonstrate is that they could escape the isolation.

      In years past, ZDI would only pay the first group of researchers who successfully exploited a target, but that’s not the case in 2019.

      “This year, we decided to pay full price for each successful demonstration—not just the first,” Childs said. “For both entries, the bugs reside in the VirtualBox hypervisor.”

      The ZDI policy is to privately disclose the new flaws to the impacted vendors, who will now have up to 120 days to patch the issues before a public disclosure is made. Pwn2Own 2019 continues on March 21, with researchers set to target the Mozilla Firefox and Microsoft Edge browsers.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×