Tag Archives: CanSecWest

Pwn2Own 2018 Results

Earlier this month the annual Pwn2Own white hat (defined) hacking contest took place, shortened from 3 days to 2 days.

This year’s competition was also impacted by a recent regulatory change meaning that Chinese participants were unable to attend. This is unfortunate since previous yeas competitions have been excellent and this had a real impact on the success of this year’s competition; perhaps next years will be better? Further details of the regulatory change are detailed here.

The following products were successfully exploited this year resulting in USD$267k being awarded. Exploits which could not be completed in the allocated time of 30 minutes were also purchased; which is fair in my opinion since they could still be a threat and the researchers more than deserve the credit for the time and effort they invest.

Similar to previous years; kernel (defined) exploits were used each time to exploit the web browsers due to the sandboxing (defined) technology used to security harden them.

As noted in this article (and my previous blog posts) kernels are becoming even more complex and can easily consist of millions of lines of code. My previous advice of static analysis/auditing/fuzzing (defined here and here) still applies. These won’t detect every vulnerability but will significantly reduce them. As before writing more secure code using the development practices discussed in last year’s Pwn2Own post will reduce the vulnerability count even further; both now and into the future.

Just like last year Mozilla updated Firefox very quickly; this time in less than a day to version 59.0.1 and 52.7.2 ESR.

The full list of products exploited is provided below. Thank you.

Apple Safari (2 attempts were successful using macOS kernel elevation of privilege (defined) vulnerabilities

Microsoft Edge

Mozilla Firefox

Oracle VirtualBox

Pwn2Own 2017 Results

The final day of competition within Pwn2Own 2017 took place on Friday, 17th March. Full details of how the individual teams performed and how many exploits were successful are available here , here and here.

In summary the following products were successfully exploited:

Adobe Flash
Adobe Reader
Apple Safari
Apple macOS (mostly the macOS kernel)(defined)
Microsoft Edge
Microsoft Windows kernel
Mozilla Firefox
Ubuntu Linux
VMware Workstation

The contest saw 51 vulnerabilities used and a total of USD$833,000 awarded to the contestants (a very large increase over last year’s USD$460K). As I noted last year, many vulnerabilities once again were present within the macOS and Windows kernels specifically:

Apple macOS kernel:
race condition (defined)
information disclosures (defined)
out of bounds (OOB) bug (defined)

Microsoft Windows kernel:
integer overflows (defined)
buffer overflows (defined)
uninitialised buffers (discussed here)
use-after-free (defined here and here)
information disclosures
out of bounds (OOB) bug
race condition

As before Microsoft and Apple need to do more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel to find and resolve vulnerabilities before they are exploited. It is a surprise this year again highlights this short coming which secure coding practices e.g. Microsoft’s SDL and Adobe’s SPLC (among others) were intended to reduce.

Of note is; Mozilla Firefox released Firefox 52.0.1 to resolve an integer flow vulnerability in less than 1 day after it’s disclosure during Pwn2Own; a fantastic response time.

Update: 28th March 2017:
On the 28th of March, VMware made available security updates to address the vulnerabilities discovered during Pwn2Own.

Apple have also made available updates (listed in this post) to resolve the vulnerabilities discovered in Pwn2Own 2017. It is unclear if all vulnerabilities are now addressed.

Update: 11th April 2017:
In late March, the Linux kernel vulnerability disclosed during Pwn2Own was resolved very quickly with Ubuntu also releasing their fix for this issue.

Adobe have released updates for Flash and Acrobat/Reader to address what appears to be 5 vulnerabilities in Flash and 6  in Acrobat/Reader (assuming near sequential CVEs and the team names attributed top them) disclosed during Pwn2Own.

We can again look forward to these vulnerabilities being addressed over the coming months; helping to make our products more secure.

Thank you.

Pwn2Own 2017 Contest Announced (Tenth Anniversary)

Update: 19th March 2017:
A more recent blog post discusses the results of the 2017 Pwn2Own contest.

Thank you.

Original Post:
With the month of March not too far away, I’m looking forward to the annual Pwn2Own contest taking place in Vancouver, Canada. Regular readers of this blog will know of the benefits it brings and why I look forward to it each year.

This year sees the return of Adobe Reader to the competition; a good decision due to the large numbers of vulnerabilities still being patched. I applaud the decision of Mozilla Firefox returning too since a zero day (defined) exploit was seen in recent times. It’s also in the top 3 in terms of usage. With a 64 bit version now available it should increase usage/competitiveness even further.

The full list of products that will be in the competition is here.

Just some of the interesting new additions are Ubuntu, Microsoft Hyper-V and Microsoft Office applications, which have never been present before. With vulnerabilities being patched routinely for all three of categories (especially for Microsoft Office), their inclusion should help us all when vulnerabilities are exploited and the researchers rewarded for their excellent work.

With the rise of malware for Apple Mac OS X and Linux it’s great to see them both in the contest this year. Previously only Mac OS was present.

Since the contest is celebrating its 10th anniversary it’s great to see other additions such as the Apache web servers and Ubuntu servers too. I often see servers installed and patched very little, if at all. This leads to situations where servers continue to have vulnerabilities long after they have been patched (more on that in this blog post). As for web servers, cross site scripting and CSRF remain consistent threats.

With extra points awarded for root access (defined) for Mac OS X or System level (defined) access for Windows this year’s contest is bigger than ever. With the more vulnerabilities that are found by the researchers the more they are awarded and the more everyone benefits by the vulnerabilities being responsibly disclosed (defined) to their vendors.

I will write another post when the results of this year’s contest are available and will discuss any highlights and how they will benefit us as users of these products.

Thank you.

Pwn2Own 2016 Highlights Kernel Exploits

Update: 19th March 2017:
Apologies for not continually updating this post detailing the fixes for each issue identified. When I attempted to do so I found it wasn’t possible to identify the fixes.

During Pwn2Own CVE numbers (defined) are generally not assigned to the vulnerabilities found or other similar identifiers when publishing the results. With the availability of security updates which include CVEs you cannot tell if they refer to Pwn2Own issues or simply routine responsible disclosures.

Occasionally vendors will mention they have resolved a Pwn2Own vulnerability but not always. In addition the names of the researchers who took part in the contest are frequently present in routine disclosures making singling out specific vulnerabilities more difficult.

Thank you for your understanding.

Update: 25th March 2016:
The first security issue to be addressed as a result of this year’s Pwn2Own contest was a vulnerability in Google Chrome as detailed in a more recent blog post.

Thank you.

Original Post:
As scheduled the final day of Pwn2Own 2016 took place on the 17th of March. Full details of how the individual teams performed and how many exploits were successful are available here and here. In summary Adobe Flash, Apple Safari and Microsoft Edge were successfully exploited with Google Chrome only partially exploited using a known issue.

As noted by Trend Micro the highlights of this year’s contest include that every exploit presented achieved System/root privileges (separately defined) which took advantage of flaws such as buffer overflows (defined) within the kernels (defined) of these products. With the change of focus of exploits targeting the kernel this is a worrying trend and highlights the need for more thorough static analysis/auditing/fuzzing (defined here and here) of the kernel by the vendors to find and resolve vulnerabilities before they are exploited.

The prize money of $460k earned by the participants is truly amazing. Pwn2Own was again a great success and we can look forward to the issues found in the above mentioned products to be fixed and rolled-out to us in the coming months.

Thank you.

Upcoming Pwn2Own 2016 Contest Announced

Update: 20th March 2016:
A more recent blog post discusses the outcome of Pwn2Own 2016.

Thank you.

Original Post
Next month on March the 16th and 17th the annual CanSecWest security conference will take place. As you know I’m a particular fan of this since it includes the Pwn2Own contest.

This year Mozilla Firefox and Adobe Reader won’t be included. Exploits for Firefox are quite rare while exploits for Adobe Reader have mostly ceased to be used by exploit kits (defined) in recent years so I can see why this decision was made. However while this is the case, we still see security updates being made available for both of these products on a regular basis. Other changes are the fact that the operating systems to be exploited won’t be directly installed on the computers within the contest but within VMware virtual machines (VMs). Additional prize money will be awarded if the researchers can have their exploits escape from within the VMs.

This contest will mark the first time that Apple Mac OS X 10.11 (“El Capitan”), Microsoft Edge and Windows 10 will be part of the competition as security researchers attempt to exploit the very latest versions of these products. Similar to last year Microsoft EMET will be used to make the exploitation of vulnerabilities more difficult. Whether more vulnerabilities will be found in EMET or if it simply present for the purpose mentioned above remains to be seen.

Further details of this year’s contest are available here. I will post again when the results of the contest are known and will include any highlights that we as users of the software present in the contest can look forward to being more secure and/or whether as a result of the contest more security features will be added.

Thank you.

The Benefits of the Pwn2Own Contest and Security Vulnerability Disclosure

With the CanSecWest Pwn2Own security vulnerability discovery contest ending almost 3 weeks ago an interesting question was raised on the Sophos security blog, should this competition continue since some consider that it is over dramatizing the nature of security vulnerabilities?

I thoroughly believe this competition should continue since over the years it has been responsible for valuable progress being made in security defences. Since this competition follows a responsible disclosure model, I believe this is another reason that it should continue.

Re-quoting my full explanation within the comments section of the above blog post:

I voted Positive for this. I think Pwn2Own is worth every cent/penny. While I acknowledge there is a certain amount of drama/spectacle about the event, the work the security researchers are doing is invaluable. The vendors are essentially having penetration testing carried out and since it’s being done by outsiders it can be more objective than an internal audit (please don’t misunderstand me, internal audits are still worthwhile).

The researchers are putting in the effort, expertize and time into creating these exploits just like a malicious hacker would. While any vendor would state their product is as secure as possible and meets all of their quality assurance checks the researchers can still exploit/pwn them. I believe that the vendors are having flaws found that would not otherwise be found or worse are exploited maliciously before a patch is available i.e. a zero day flaw (alternative definition).

For example in 2013; 2 particularly noteworthy flaws were an exploit for Internet Explorer that raised the exploits integrity level (its permission level or authority level) from low to medium and the LDRHotpatch ASLR/DEP bypass. This latter exploit used an undocumented API call to carry out its malicious intent. This exploit lead to the later development and inclusion of the Banned Functions mitigation into Microsoft EMET. Microsoft even mentioned (in an SRD blog post) how novel/unheard of these exploits really were and how correcting them was far from trivial.

I believe this particular flaw may have been eventually exploited as a zero day flaw rather than being disclosed responsibly. This is the real benefit I see from Pwn2Own. The security researchers think outside of the box in that they come up with exploit methods that the vendors never even thought of or even knew were possible and exploit them. Since they are being disclosed responsibly we all benefit from the experience/knowledge the vendors obtain from the researchers.

I consider this event pivotal to the development/enhancement of security for us all since vendors can and do become complacent in their development practices. It’s only when they are shown how badly a product can be exploited and how vulnerable it really is, only then will the vendor take notice and make the necessary changes and possible improvements to their quality assurance process to protect it, otherwise the product would stay as it is.

I realize many people would not agree with me but I think it is in all of our interests that this competition/event continues. Thank you.

One point that was not raised within the wider online IT security press coverage of Pwn2Own 2015 was that Microsoft EMET was used to harden each of the devices running Windows. While all of the products within the contest were compromised at least once this does not mean that EMET is of little benefit. Simply that the exploits were sophisticated enough to avoid/bypass EMET to carry out their intended purpose. Moreover, these are not the only examples of exploits being able to successfully bypass EMET, the following 3 links are demonstrate this (for EMET 5.2).

Example 1
Example 2
Example 3

For these reasons it will be interesting to see how Microsoft enhance EMET in the future for EMET version 5.3 or 6.0

When I mention responsible disclosure (above), what exactly is meant by this and how does it differ from the more controversial (but still very important) public/full disclosure and why does the difference between these two matter?

Responsible disclosure occurs when a security researcher discovers a security vulnerability and reports it to the software vendor (the company that commercially produces the software product in question). If after a certain duration of time (e.g. 90 days) the vendor does not respond to the security researcher who reported the flaw to them, the researcher can then fully/publically disclose the flaw to the wider security community.

Responsible disclosure has advantages to the vendor since they have a window of opportunity to resolve the flaw during the duration of time before full disclosure (this duration of time can vary), which protects the vendors customers from ever being exposed to the flaw. In addition, the researcher will very likely be acknowledged by the vendor for taking the time and effort to report the flaw to the vendor. Responsible disclosure is usually preferred since it minimizes the exposure of the vendors customers to security risks. With bug bounty programs becoming more prevalent responsible disclosure remains very popular.

Full/public disclosure reports the discovery of a security flaw to the wider security community (along with information of which versions of the vendors products are affected by this flaw) without first contacting the affected vendor.

Usually the publication of the information concerning this flaw will contain information on how to reduce your exposure to (mitigate) this flaw e.g. changing a setting within the software, not using a certain aspect of the software or not opening suspicious files of a specific file type etc. This is a potential advantage since it allows anyone vulnerable to the flaw to protect themselves before a patch (software fix) is available.

I use the word “potential” above since it is possible that with the details published by the security researcher a person with malicious intent could write the code of an exploit to be used by anyone e.g. malware creators to infect peoples devices using the affected software before a patch is available.

Full disclosure has the potential advantage of motivating the software vendor into quickly resolving the security flaw rather than risk any bad reputation that may develop should some of its customers become compromised because of this security flaw before that vendor has a chance to resolve it.

Since the Pwn2Own contest follows a model of responsible disclosure the security researchers benefit from the prize money, winning the devices they exploit/pwn and being credited with a successful exploit. The software vendors also benefit since they can examine how the exploit was built and create a patch to prevent the exploit having the desired effect in the future as well as having the opportunity to harden the software in other to prevent similar exploits in the future. Such flaws are also unlikely to become zero day flaws. This matters to everyone since the products within the contest are very widely used and being able to strengthen a product that we use each day is always beneficial. Thank you.