Day in and day out, vendors do their best to keep their software patched and free from zero-day vulnerabilities. Then along comes the annual Pwn2Own competition and within minutes, elite researchers are able to demonstrate new zero-day flaws.
The first day of Pwn2Own 2019 on March 20 in Vancouver, Canada, saw researchers reveal new zero-day vulnerabilities in Apple Safari and macOS, as well as Oracle VirtualBox and VMware Workstation. Pwn2Own, which is operated by Trend Micro’s Zero Day Initiative (ZDI), rewards researchers with cash prizes for demonstrating new zero-day vulnerabilities during the live event. All told, researchers collected a total of $240,000 in awards for their efforts and there are still two more days left.
A team known as Fluoroacetate, made up of researchers Amat Cama and Richard Zhu, was the big winner on day one, exploiting Apple Safari, Oracle VirtualBox and VMware Workstation, earning $160,000 for their day’s effort. In terms of how a single group was so successful, it has to do with circumstance and opportunity.
“Part of it was luck of the draw, but mainly, they had many entries,” Dustin Childs, ZDI communications manager, told eWEEK. “We’ve seen this happen in the past with large teams, but not with a duo like them.”
In years past, there had been broader participation from researchers from different geographies, including China. Researchers from China, however, are absent from Pwn2Own 2019. Childs noted that there have been regulatory changes in some countries that no longer allow participation in global exploit contests such as Pwn2Own and Capture the Flag competitions.
The Fluoroacetate team’s first target was a fully patched Apple macOS system running the Safari web browser. The researchers were able to exploit the browser using a bug class known as an integer overflow and then used a heap overflow bug to escape the macOS sandbox. Overflow bugs, whether in the heap or integer, involve a form of memory corruption or manipulation that enables an attacker to gain unauthorized access. ZDI awarded Fluoroacetate $55,000 for the full exploit chain.
Fluoroacetate wasn’t the only group that targeted Apple. A pair of researchers identified as phoenhex & qwerty earned $45,000 for an exploit of Safari with a macOS kernel escalation.
“It was a complete system compromise,” Childs said. “By browsing to their website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read—used twice—then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug.”
Childs added that, unfortunately, it was only a partial win, since Apple already knew of one of the bugs used in the demo.
Virtualization hypervisors were also on the target list for the first day of Pwn2Own 2019, with both Oracle VirtualBox and VMware Workstation falling to researchers.
Fluoroacetate used an integer overflow and a race condition to escape the VirtualBox virtual machine to get unauthorized access to the underlying operating system. Fluoroacetate was also able to use a race condition bug to exploit VMware Workstation and get running code on the host operating system. According to Childs, Fluoroacetate didn’t use the same bug to exploit both VMware and Oracle.
“The techniques are similar, but the bugs themselves are different,” he said.
A race condition is a software defect whereby shared data is accessed by multiple concurrent threads without proper data access protection, which could lead to data loss, corruption or crashes.
Researcher Phạm Hồng Phi was also successful in being able to exploit Oracle VirtualBox, earning $35,000. Phi’s exploit used an integer underflow to gain access to the underlying operating system. With a virtualization hypervisor, a core fundamental component of the architecture is to isolate the virtual machine from the actual host operating system on which the hypervisor is running. What the Pwn2Own researcher was able to demonstrate is that they could escape the isolation.
In years past, ZDI would only pay the first group of researchers who successfully exploited a target, but that’s not the case in 2019.
“This year, we decided to pay full price for each successful demonstration—not just the first,” Childs said. “For both entries, the bugs reside in the VirtualBox hypervisor.”
The ZDI policy is to privately disclose the new flaws to the impacted vendors, who will now have up to 120 days to patch the issues before a public disclosure is made. Pwn2Own 2019 continues on March 21, with researchers set to target the Mozilla Firefox and Microsoft Edge browsers.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.