Browsers Fall in Hacking Contest
Tuesday, March 13, 2012 @ 04:03 PM gHale
It was a hacking competition, and the end results were very revealing.
At the end of the Pwn2Own competition at CanSecWest, Google Chrome, Microsoft Internet Explorer and Mozilla Firefox were all subject to zero day exploits, winning the teams involved the maximum points for an exploit.
Chrome also fell a second time in Google’s own Pwnium contest with an attack that pulled together three zero day vulnerabilities.
At the end of the competition, the VUPEN team took first place, and the $60,000 prize, with 123 points, after toppling Internet Explorer and Google Chrome. Their Chrome exploit leveraged flaws in the Flash player bundled with the browser, while their Internet Explorer exploit first provoked a buffer overflow on the heap working around DEP and ASLR protections.
They then made use of a memory error to break out of the sandbox (protected mode) of the web browser. VUPEN will only be revealing details of the heap overflow, keeping the protected mode bypass a secret that it can sell to its customers. It claims the exploit works on Internet Explorer 10 but there are more protections against user-after-free and memory leaks in the browser making it more difficult to exploit.
Meanwhile, Mozilla Firefox fell to the team of Willem Pinckaers and Vincenzo Iozzo, who together took second place overall in Pwn2Own. Their single zero day vulnerability in Firefox involved a use-after-free problem which evaded DEP and ASLR protections in Windows 7. According to reports, the vulnerability leaked information multiple times then used to prepare code to execute, again through the same vulnerability. Pinckaers and Iozzo won $30,000 with 66 points.
At Google’s Pwnium contest, Chrome fell a second time after a hacker by going by the name of “Pinkie Pie,” also the name of a My Little Pony character, chained three zero day vulnerabilities in Chrome together to break out of the browser’s sandbox and execute code.
The exploit came out only hours before the contest closed. Google has since patched the vulnerabilities. The Google competition was independent of Pwn2Own; the search company decided to sponsor its own contest after discovering rule changes meant participants did not have to disclose vulnerabilities used in Pwn2Own to the affected vendors.