At the two-day Pwn2own contest last week, all major web software were “pwned”. Sponsored by Hewlett-Packard and organised by HP-owned Zero-Day Initiative, a total of US$850,000 in prize money was paid out to winners. Apple Safari, Google Chrome, Microsoft Internet Explorer and Mozilla Firefox browsers were hacked successfully, as well as Adobe Reader and Flash.
Liang Chen, one of a pair of Chinese Keen Team hackers, successfully broke Safari. The big challenge was bypassing the Safari sandbox, and the team had to chain together two vulnerabilities to successfully exploit the system. The exploit was witnessed and disclosed to HP’s Zero Day Initiative, and witnessed by Apple representatives.
Together with team-mate Fang Jiahong, the Keen Team netted a US$62,500 prize for pwning Safari and additionally a US$75,000 prize for a zero-day exploit of Adobe Flash. A portion of the winnings will go to charities representing the families of the missing Malaysian Airlines flight MH370.
Chen said, “For Apple, the OS is regarded as very safe and has a very good security architecture.” He continued, “Even if you have a vulnerability, it’s very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems.”
Jiahong is said to have a passion for digging for vulnerabilities, not limited to Apple’s platforms, but also for Microsoft platforms. His current focus is Android which requires a deeper study of the OS compared to iOS, attributed to Android’s fragmentation.
The annual Pwn2own contest took place from 12-13 March 2014 in Vancouver, Canada at the CanSecWest 2014 conference.. The competition combines multiple vulnerabilities of unprecedented difficulty, with highly attractive rewards.
The contest
The 2014 competition consists of three divisions: Browsers, Plug-Ins and the Grand Prize. The first contestant to successfully exploit a target within the 30-minute limit wins the prize in the category.
The 2014 targets are:
Browsers:
- Google Chrome on Windows 8.1 x64: US$100,000
- Microsoft Internet Explorer 11 on Windows 8.1 x64: US$100,000
- Mozilla Firefox on Windows 8.1 x64: US$50,000
- Apple Safari on OS X Mavericks: US$65,000
Plug-ins:
- Adobe Reader running in Internet Explorer 11 on Windows 8.1 x64: US$75,000
- Adobe Flash running in Internet Explorer 11 on Windows 8.1 x64: US$75,000
- Oracle Java running in Internet Explorer 11 on Windows 8.1 x64 (requires click-through bypass): US$30,000
“Exploit Unicorn” Grand Prize:
- SYSTEM-level code execution on Windows 8.1 x64 on Internet Explorer 11 x64 with EMET (Enhanced Mitigation Experience Toolkit) bypass: US$150,000*
Source: Fortune Tech, Threat Post
