Flash, Reader, Firefox and IE Fall on Pwn2Own Day 1

https://threatpost.com/flash-reader-firefox-and-ie-fall-on-pwn2own-day-1/111720

By Chris Brook March 19, 2015 , 11:39 am

Four different research teams on Wednesday cracked four products–Adobe Flash, Reader, Mozilla Firefox, and Microsoft Internet Explorer—and collectively earned a payout of $317,000 on the first day of Pwn2Own 2015. The annual hacking contest, which kicked off Wednesday in Vancouver, runs concurrently with CanSecWest and is hosted by HP’s Zero Day Initiative and Google’s Project Zero.

See more at: Flash, Reader, Firefox and IE Fall on Pwn2Own Day 1 http://wp.me/p3AjUX-t3W

 

Isn't it insane how much money they are making with this stuff? And I also wonder if all these new found vulnerabilities can be immediately exploited in an easy way.

 

From that article: "...The four researchers earned $60,000 for the Flash hack, which took all of 30 seconds..."
Sounds easy, and I bet most of these weren't "found" today. Someone probably knew about them before now.

 

That is what these guys do, all day long they are searching for flaws, that can be exploited. But why pay that much money for bugs? The only reason I could think of, is because zero days are used for "APT attacks" on businesses and governments. I do wonder how MBAE and HMPA would fare against the flaws that were mentioned in the article.

http://en.wikipedia.org/wiki/Advanced_persistent_threat

 

Remember, Google's strategy is "buy/turn blackhat hacker (into whitehat)". It is publicly stated (just google a bit). So they have to offer more money than criminals can get from selling exploit.
It seems their strategy is functioning as we haven't seen even single ITW Chrome exploit, considering Chrome's popularity.
Also note, tho I don't know those individual researchers, they're not necessarily dedicated vulnerability hunter. Some may be so, but many of researchers have their own job and that is not to find 0day in those products. AFAIK, most work of security engineer have not much discussed here Wilders.

Those bugs won't be published until vendor patches bug. So unless some others independently discovered the same bug, can not be exploited. Also, Mozilla & Google usually patches them within 48h so there's not many room to abuse them even if leaked, while MS treat those bug just like other vuln report and is slow to patch.

I don't know why you mentioned APT, maybe some of exploits shown in Pwn2Own are ultra-sophisticated? That's true, but afa it leverages memory corruption most probably these products will block it (but that is for me "so what?" thing as they are not designed to bypass them unlike real APT), while some logic flaw exploit or new technique like COP & JOP would bypass them (I don't think those technique are used). FYI, in recent APT more and more attacker tend to use zipped executable rather than exploit.

I do not think those money are too much, rather it's decent. What really insane is most company don't pay for vuln discoverer, and even worse, it is said some vendor treat them as if they are enemy!

If a vendor can't afford bug bounty, at least they should acknoledge them like Malwarebytes do. Sadly, it's not very rare that I hear complaints from those bug discoverer.

 

I now read the article, it includes some interesting story.

Wow, Tencent!
So these teams found total of 2 new TTF kernel vuln?

Directory traversal was used to escape sandbox. Maybe this can't happen if sandbox is not based on path but label (SELinux is in my mind ofc). Recent SBIE bypass found by Lumikai, Wilders member, also seems to suggest Windows' security mechanism's problem, tho I don't expect MS to implement true label based access control.

Can anyone explain how cross-origine vuln lead to priv escalation?

 

All Major Browsers Fall at Pwn2Own Day 2

https://threatpost.com/all-major-browsers-fall-at-pwn2own-day-2/111731

 

With Pwn2Own, a hacking competition hosted by HP’s Zero Day Initiative and Google’s Project Zero, drawing to a close the final tally for bugs over the past two days is as follows:

Microsoft Windows: 5 bugs
Microsoft IE 11: 4 bugs
Mozilla Firefox: 3 bugs
Adobe Reader: 3 bugs
Adobe Flash: 3 bugs
Apple Safari: 2 bugs
Google Chrome: 1 bug $442,500 paid out to researchers

 

All the Windows hacks came against systems using all of EMET's compatible protections.

 

Hi regenpijp
EMET 5.2 has already been bypassed:

https://twitter.com/sec_consult/status/578152623771103232/photo/1

 

Adobe software vulnerable? I don't believe it. Ooh look everybody ... a unicorn!

 

What's so hard to understand, aren't zero days also used in APT attacks? I can imagine that companies and agencies would pay quite a lot of money for these flaws, so that they can use them for industrial espionage, for example. But I was just trying to figure out why Google would pay that much, and it's probably because they can.

 

Thanks, for the interesting feedback. And yes you're right, everything can be bypassed, I think MBAE and HMPA are mainly focused on stopping exploits served by exploit-kits, but it wouldn't hurt companies to use anti-exploit tools, perhaps combined with sandboxing. No matter how advanced the attack, it will become very hard for hackers to bypass several layers, I'm still convinced of that.

 

That's true, I can also imagine that as a business you wouldn't want to deal with problems caused by anti-exploit tools, but then again, only targeted apps should be protected. And it also depends on how complex a network is, I wonder if Invincea FreeSpace (sandbox) can easily be implemented in any environment.

 

So does this prove that Chrome is the most secure of the web browsers?

 

Is this true:
http://casual-scrutiny.blogspot.ru/2015_03_01_archive.html

"EMET fights tough, more than any public exploit mitigation solution out there. A lot tougher than MBAE and enterprise exploit detection products."
True or false?
To me they offer the same level of protection.

 

It makes a better case for itself now. The guy who exploited it said it was the toughest to pull off.

 

nothing is bullet proof but MBAE seems to offer fewer obstacles against a targeted attack than EMET.

Given also that CFG technology helps detect and stop attempts of code hijacking, it would be interesting to know how it would complicate the attacks aimed at disarming the tools that use it...

 

Hopefully some of the security researchers that pull off these bypasses will do some tests specifically regarding CFG to see what it can prevent and what it's weaknesses might be. I am certainly curious about it since I had been following it since it had been announced back in December. It's always nice to see something new with regard to anti-exploit mitigation. I enjoyed reading several blog post by Trend Micro with decent detail on CFG, although it would be interesting seeing security researchers digging into it some more to see the potential.

 

The star of the show was South Korean security researcher Jung Hoon Lee, nicknamed "lokihardt," who worked alone and nabbed the single highest payout of the competition in the Pwn2Own history, an amazing bounty of $110,000 in just two minutes.
Lee was able to take down both stable and beta versions of Google Chrome browser by exploiting a buffer overflow race condition bug in the browser and nabbed $75,000 as bug bounty......http://thehackernews.com/2015/03/browser-hacked-pwn2own.html?m=1

 

so, almost useless?
Isn't CFG per-se a form of hardening that should help in rising the bar of code hijacking??


In other words, EMET 5.2 (CFG-aware) + OS CFG-aware (8.1+) ~ EMET 5.2 + Vista/7 in terms of strenght vs disarming??

Just to understand...and sorry for my basic English.

 

Firefox would be the most secure browser with not default setting.

1) First browser to have already patched the bugs.

2) Firefox + Noscript was not even before vulnerable:

https://forums.informaction.com/viewtopic.php?f=7&t=20661

 

No big deal, since any browser with decent script blocking wouldn't have been vulnerable.

 

Yes, also. But remember, those who perform APT are mostly dedicated professionals, so it's hard for Google or other to "buy" them if not impossible. Nobody knows how much money is paid for them, while you can easily see how much new exploit kit is in black market.
Ofc they can, if they can't, then simply they can't. Actually it's not just they can, but they should and have to do to avoid security breach, both in home user (individual damage will be small, but as a total it's still big) and in corporate. Again, note Google(top sponsor)'s strategy is more focused on buying blackhat hacker than just finding bugs.

Agreed to 1st comment, not to 2nd. As regenpijp, he obviously understand problem in corporate security, wonderfully explained, the problem in corporate security is in other points and it's very hard to keep all employee and system always secure in large enterprise. APT attacker know this well thus recently mainly use zipped exe than exploit, which ofc anti-exploit do nothing, and sandbox is not effective unless you can control how each employee use their PC and the product. IOW, those products only makes sense after you employed effective policy, practice, and education. I think a reason those products are not as popular in corporate environment will be they lacks unified, visualized (not saying about availability of GUI) and functinal central management integrated with other security solution. That is necessary in enterprise, and there're many more options in corporate security field. (Also note, the meaning of "targeted app" is much broader in targeted attack. Using non-popular alternative app doesn't make sense here, moreover sometimes apps which usually are not regarded as attack gate are abused.)

And after reading article Sampei and here CWS brought up as well as pondering recent SBIE bypass, I came to think actually bypassing those products don't require infinite resource. I think they are not who have infinite resource, rather if you read the article you'll find actually the author is very stingy about his time and resource. In the bypass process he encountered many hurdle (different protection by MBAE) but it seems bypassing them didn't take much time for him.

As to SBIE, any products have vuln. But what I noticed were, the bug are there around 2 years and it's quite primitive, not exotic one and in a sense have been discussed numerous times in Linux security discussion (AppArmor vs SELinux). I think Windows' security architecture is too complex so leave a room to misconfiguration (remember, v3.76 don't have the bug). Only effective counter measure will be thorough audit, but we can't expect such thorough investigation like in Pwn2Own for those minor proprietary software.

 

Theoretically HMPA should offer better protection on Caller, but for this to be true they have to raise challenge for their product. MBAE are tested (I don't mean AV-Comperatives like test) and so far there'd been 3 bypasses (now 4), while EMET is more tested and improved much as you know. IMO, SurfRight have to make their version of "hall of fame" and gather as much challenge as they can.