The entire browser security landscape can change in a single day, as browsers thought to be secure are proven to be otherwise.
That’s what happened at the 2013 Pwn2own browser security challenge, operated by HP TippingPoint’s Zero Day Initiative (ZDI), during which Chrome, Firefox and IE were all hacked and demonstrably shown to be at risk from previously unknown vulnerabilities.
“We wanted to demonstrate as many bugs as we could,” said Brian Gorenc, manager of vulnerability research, Zero Day Initiative, HP DVLabs. “The stuff we enjoy at ZDI is how elegant the bugs are.”
Among the winners was security researcher “Nils,” who returned to Pwn2own after a three-year absence from the event. At the 2009 Pwn2own event, the previously unknown Nils shocked the world by exploiting Safari, IE 8 and Firefox 3.x, marking the first time that a single researcher had ever accomplished a browser hacking trifecta.
Chrome Goes Down
This year Nils, now officially working with a group known as MWR Labs, demonstrated a Google Chrome exploit that included a full breakout from the Chrome sandbox. In a blog post, Nils explained that he was able to exploit previously undiscovered vulnerabilities against Chrome running on Windows. The attack leveraged a kernel vulnerability in Windows in order to escalate privileges.
“As with many modern operating systems, there were a series of memory protection mechanisms that needed to be bypassed before reliable code execution could be achieved,” Nils wrote. “We were able to exploit the first vulnerability in multiple ways, allowing us to leak the addresses of several objects in memory, calculate the base address of certain system dlls, read arbitrary data, and gain code execution.”
Nils is being awarded $100,000 for the exploit, which involved multiple vulnerabilities that have already been submitted to both Google and Microsoft.
Firefox and IE Hacked
Mozilla’s open source Firefox Web browser was targeted by last year’s big Pwn2own winner, security firm VUPEN. VUPEN was able to exploit Firefox via a use-after-free memory flaw paired with an ASLR/DEP memory exploit. ASLR and DEP are operating system features found in Windows that are intended to protect memory from exploitation.
VUPEN was awarded $60,000 for the Firefox exploit, but it didn’t stop there. VUPEN also went after IE 10.
“We’ve pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass,” VUPEN tweeted
VUPEN was awarded an additional $100,000 for the IE10 exploit. VUPEN was still not done ringing the cash register, however.
Multiple Java Hits
VUPEN also took aim at Java and was one of three groups of researchers to successfully execute a zero-day attack. VUPEN exploited Java with a heap overflow exploit that was able to get past ASLR to execute code. HP awarded VUPEN an additional $20,000 for the Java exploit.
Oracle just released Java 7 update 17 this week to fix a pair of flaws. Oracle has had to patch over 60 flaws in Java thus far in 2013.
For the first time ever at a Pwn2own event, more than one group of researchers took shots at a given technology. In 2013, in addition to VUPEN, two other groups of researchers demonstrated Java vulnerabilities, collecting $20,000 each.
HP’s Gorenc noted that $20,000 for a Java flaw is more money than ZDI typically pays for Java flaws. ZDI buys exploits and then reports the vulnerabilities to the affected vendors.
“This year, we’re purchasing all the vulnerabilities from pre-registered contestants since the point of our effort is to secure software through responsible disclosure,” Gorenc said. “We had budget available so we thought, what better place to do it and recognize the researchers than pwn2own?”
HP had originally put Apple Safari running on OS X Mountain Lion as a target for Pwn2own 2013. HP put a bounty of $75,000 for any researcher to claim against it, but no one did.
“No one pre-registered for Safari this year,” Gornec said. “Why that happened we don’t know; maybe they were focused on Chrome.”