Flash, Reader, Firefox and IE Fall on Pwn2Own Day 1

Discussion in 'other software & services' started by AutoCascade, Mar 19, 2015.

  1. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    https://threatpost.com/flash-reader-firefox-and-ie-fall-on-pwn2own-day-1/111720

    By Chris Brook March 19, 2015 , 11:39 am

    Four different research teams on Wednesday cracked four products–Adobe Flash, Reader, Mozilla Firefox, and Microsoft Internet Explorer—and collectively earned a payout of $317,000 on the first day of Pwn2Own 2015. The annual hacking contest, which kicked off Wednesday in Vancouver, runs concurrently with CanSecWest and is hosted by HP’s Zero Day Initiative and Google’s Project Zero.

    See more at: Flash, Reader, Firefox and IE Fall on Pwn2Own Day 1 http://wp.me/p3AjUX-t3W
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Isn't it insane how much money they are making with this stuff? And I also wonder if all these new found vulnerabilities can be immediately exploited in an easy way.
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    From that article: "...The four researchers earned $60,000 for the Flash hack, which took all of 30 seconds..."
    Sounds easy, and I bet most of these weren't "found" today. Someone probably knew about them before now.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    That is what these guys do, all day long they are searching for flaws, that can be exploited. But why pay that much money for bugs? The only reason I could think of, is because zero days are used for "APT attacks" on businesses and governments. I do wonder how MBAE and HMPA would fare against the flaws that were mentioned in the article.

    http://en.wikipedia.org/wiki/Advanced_persistent_threat
     
  5. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Remember, Google's strategy is "buy/turn blackhat hacker (into whitehat)". It is publicly stated (just google a bit). So they have to offer more money than criminals can get from selling exploit.
    It seems their strategy is functioning as we haven't seen even single ITW Chrome exploit, considering Chrome's popularity.
    Also note, tho I don't know those individual researchers, they're not necessarily dedicated vulnerability hunter. Some may be so, but many of researchers have their own job and that is not to find 0day in those products. AFAIK, most work of security engineer have not much discussed here Wilders.

    Those bugs won't be published until vendor patches bug. So unless some others independently discovered the same bug, can not be exploited. Also, Mozilla & Google usually patches them within 48h so there's not many room to abuse them even if leaked, while MS treat those bug just like other vuln report and is slow to patch.

    I don't know why you mentioned APT, maybe some of exploits shown in Pwn2Own are ultra-sophisticated? That's true, but afa it leverages memory corruption most probably these products will block it (but that is for me "so what?" thing as they are not designed to bypass them unlike real APT), while some logic flaw exploit or new technique like COP & JOP would bypass them (I don't think those technique are used). FYI, in recent APT more and more attacker tend to use zipped executable rather than exploit.

    I do not think those money are too much, rather it's decent. What really insane is most company don't pay for vuln discoverer, and even worse, it is said some vendor treat them as if they are enemy!

    If a vendor can't afford bug bounty, at least they should acknoledge them like Malwarebytes do. Sadly, it's not very rare that I hear complaints from those bug discoverer.
     
    Last edited: Mar 20, 2015
  6. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I now read the article, it includes some interesting story.
    Wow, Tencent!:eek:
    So these teams found total of 2 new TTF kernel vuln?
    Directory traversal was used to escape sandbox. Maybe this can't happen if sandbox is not based on path but label (SELinux is in my mind ofc). Recent SBIE bypass found by Lumikai, Wilders member, also seems to suggest Windows' security mechanism's problem, tho I don't expect MS to implement true label based access control.
    Can anyone explain how cross-origine vuln lead to priv escalation?
     
  7. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    238
    Location:
    Neo Tokyo
  8. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    With Pwn2Own, a hacking competition hosted by HP’s Zero Day Initiative and Google’s Project Zero, drawing to a close the final tally for bugs over the past two days is as follows:

    Microsoft Windows: 5 bugs
    Microsoft IE 11: 4 bugs
    Mozilla Firefox: 3 bugs
    Adobe Reader: 3 bugs
    Adobe Flash: 3 bugs
    Apple Safari: 2 bugs
    Google Chrome: 1 bug $442,500 paid out to researchers
     
  9. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    All the Windows hacks came against systems using all of EMET's compatible protections.
     
  10. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
  11. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    Adobe software vulnerable? I don't believe it. Ooh look everybody ... a unicorn!
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    What's so hard to understand, aren't zero days also used in APT attacks? I can imagine that companies and agencies would pay quite a lot of money for these flaws, so that they can use them for industrial espionage, for example. But I was just trying to figure out why Google would pay that much, and it's probably because they can.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Thanks, for the interesting feedback. And yes you're right, everything can be bypassed, I think MBAE and HMPA are mainly focused on stopping exploits served by exploit-kits, but it wouldn't hurt companies to use anti-exploit tools, perhaps combined with sandboxing. No matter how advanced the attack, it will become very hard for hackers to bypass several layers, I'm still convinced of that.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    That's true, I can also imagine that as a business you wouldn't want to deal with problems caused by anti-exploit tools, but then again, only targeted apps should be protected. And it also depends on how complex a network is, I wonder if Invincea FreeSpace (sandbox) can easily be implemented in any environment.
     
  15. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    So does this prove that Chrome is the most secure of the web browsers?
     
  16. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,213
    Is this true:
    http://casual-scrutiny.blogspot.ru/2015_03_01_archive.html

    "EMET fights tough, more than any public exploit mitigation solution out there. A lot tougher than MBAE and enterprise exploit detection products."
    True or false?
    To me they offer the same level of protection.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    It makes a better case for itself now. The guy who exploited it said it was the toughest to pull off.
     
  18. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    363
    Location:
    italy
    nothing is bullet proof but MBAE seems to offer fewer obstacles against a targeted attack than EMET.

    Given also that CFG technology helps detect and stop attempts of code hijacking, it would be interesting to know how it would complicate the attacks aimed at disarming the tools that use it...
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    Hopefully some of the security researchers that pull off these bypasses will do some tests specifically regarding CFG to see what it can prevent and what it's weaknesses might be. I am certainly curious about it since I had been following it since it had been announced back in December. It's always nice to see something new with regard to anti-exploit mitigation. I enjoyed reading several blog post by Trend Micro with decent detail on CFG, although it would be interesting seeing security researchers digging into it some more to see the potential.
     
  20. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,093
    Location:
    Hollow Earth - Telos
    The star of the show was South Korean security researcher Jung Hoon Lee, nicknamed "lokihardt," who worked alone and nabbed the single highest payout of the competition in the Pwn2Own history, an amazing bounty of $110,000 in just two minutes.
    Lee was able to take down both stable and beta versions of Google Chrome browser by exploiting a buffer overflow race condition bug in the browser and nabbed $75,000 as bug bounty......http://thehackernews.com/2015/03/browser-hacked-pwn2own.html?m=1
     
  21. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    363
    Location:
    italy
    so, almost useless?
    Isn't CFG per-se a form of hardening that should help in rising the bar of code hijacking??


    In other words, EMET 5.2 (CFG-aware) + OS CFG-aware (8.1+) ~ EMET 5.2 + Vista/7 in terms of strenght vs disarming??

    Just to understand...and sorry for my basic English.

    :)
     
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
    Last edited: Mar 23, 2015
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    No big deal, since any browser with decent script blocking wouldn't have been vulnerable.
     
  24. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Yes, also. But remember, those who perform APT are mostly dedicated professionals, so it's hard for Google or other to "buy" them if not impossible. Nobody knows how much money is paid for them, while you can easily see how much new exploit kit is in black market.
    Ofc they can, if they can't, then simply they can't. Actually it's not just they can, but they should and have to do to avoid security breach, both in home user (individual damage will be small, but as a total it's still big) and in corporate. Again, note Google(top sponsor)'s strategy is more focused on buying blackhat hacker than just finding bugs.
    Agreed to 1st comment, not to 2nd. As regenpijp, he obviously understand problem in corporate security, wonderfully explained, the problem in corporate security is in other points and it's very hard to keep all employee and system always secure in large enterprise. APT attacker know this well thus recently mainly use zipped exe than exploit, which ofc anti-exploit do nothing, and sandbox is not effective unless you can control how each employee use their PC and the product. IOW, those products only makes sense after you employed effective policy, practice, and education. I think a reason those products are not as popular in corporate environment will be they lacks unified, visualized (not saying about availability of GUI) and functinal central management integrated with other security solution. That is necessary in enterprise, and there're many more options in corporate security field. (Also note, the meaning of "targeted app" is much broader in targeted attack. Using non-popular alternative app doesn't make sense here, moreover sometimes apps which usually are not regarded as attack gate are abused.)

    And after reading article Sampei and here CWS brought up as well as pondering recent SBIE bypass, I came to think actually bypassing those products don't require infinite resource. I think they are not who have infinite resource, rather if you read the article you'll find actually the author is very stingy about his time and resource. In the bypass process he encountered many hurdle (different protection by MBAE) but it seems bypassing them didn't take much time for him.

    As to SBIE, any products have vuln. But what I noticed were, the bug are there around 2 years and it's quite primitive, not exotic one and in a sense have been discussed numerous times in Linux security discussion (AppArmor vs SELinux). I think Windows' security architecture is too complex so leave a room to misconfiguration (remember, v3.76 don't have the bug). Only effective counter measure will be thorough audit, but we can't expect such thorough investigation like in Pwn2Own for those minor proprietary software.
     
  25. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Theoretically HMPA should offer better protection on Caller, but for this to be true they have to raise challenge for their product. MBAE are tested (I don't mean AV-Comperatives like test) and so far there'd been 3 bypasses (now 4), while EMET is more tested and improved much as you know. IMO, SurfRight have to make their version of "hall of fame" and gather as much challenge as they can.
     
Loading...