Pwn2Own 2017 第一天比赛回顾
The first day of Pwn2Own 2017 has come to a close, and so far, we’ve awarded $233,000 USD and 45 points for Master of Pwn. Today saw five successful attempts, one partial success, two failures, and two entries withdrawn.
|德国 Samuel Groß and Niklas Baumstark||苹果Safari浏览器和MacOS root||部分成功|
|德国 Ralf-Philipp Weinmann||Edge浏览器+Win10系统权限||弃权|
|美国 RichardZhu||苹果Safari+MacOS root||挑战失败|
Our day started with the 360 Security team successfully using a jpeg2000 heap overflow, a Windows kernel info leak, and an uninitialized Windows kernel buffer to gain remote code execution (RCE) through Adobe Reader. In the process, they earned themselves $50,000 USD and 6 points towards Master of Pwn.
360安全团队利用jpeg2000 栈溢出，Windows内核信息泄露和未初始化的Windows内核缓冲区通过Adobe Reader获得远程代码执行。获得5W美金和6个积分。
Next up, Samuel Groß and Niklas Baumstark earned some style points by leaving a special message on the touch bar of the targeted Mac. They employed a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate their privileges to root in macOS. Unfortunately, the UAF had already been corrected in the beta version of the browser, but this bug chain still netted them a partial win, garnering them $28,000 and 9 Master of Pwn points.
接下来是来自德国的Samuel Groß 和 Niklas Baumstark团队，挑战苹果Safari和MacOS提权。他们首先在目标macbook的 touchbar上留下一条特殊信息获得1分。在攻击Safari上，利用UAF结合三个逻辑错误和一个空指令取消引用来利用safari从而在macos中提权到root。但是部分漏洞已经被苹果公司修正了，所以他们只成功了部分。最终获得了28000美元和9分
The next contestant was Tencent Security – Team Ether targeting Microsoft Edge. They succeeded by using an arbitrary write in Chakra and escaped the sandbox using a logic bug within the sandbox. This netted them a cool $80,000 and 10 points for Master of Pwn.
Ubuntu Linux was welcomed to Pwn2Own by the Chaitin Security Research Lab. They leveraged a Linux kernel heap out-of-bounds access bug to earn themselves $15,000 and 3 Master of Pwn points. We’ve seen folks pop calc before, but popping xcalc was a nice touch..
Despite their earlier success, Tencent Security – Team Ether withdrew their entry targeting Microsoft Windows. Ralf-Philipp Weinmann also withdrew his attempt to exploit Microsoft Edge. Perhaps the recent security patches affected their exploits after all.
Next, Tencent Security - Team Sniper (Keen Lab and PC Mgr) targeting Google Chrome with a SYSTEM-level escalation. Unfortunately, they could not get their exploit chain working within the allotted timeframe, resulting in a failure.
However, the team came right back to target Adobe Reader and succeeded by using an info leak in Reader followed by a UAF to get code execution. They then leveraged a UAF in the kernel to gain SYSTEM-level privileges. Since this was the second win in the Enterprise Application category, it netted the team $25,000 and 6 points for Master of Pwn.
接下来腾讯安全团队又调整了Chrome，但是他们没有在规定的时间内完成，导致失败。 最后他们转向Adobe Reader，最终挑战成功，获得25000美元和6个积分的奖励。
The Chaitin Security Research Lab followed up their previous success with some fantastic late-evening exploits. They broke through Apple Safari to gain root access on macOS by using a total of six bugs in their exploit chain including an info disclosure in Safari, four different type confusion bugs in the browser, and a UAF in WindowServer. This spectacular demonstration earned them $35,000 and 11 points towards Master of Pwn. They also let us know their research was guided by advisories released through the ZDI program.
Overall, it was a fantastic start to the first day of our largest competition ever. The contestants successfully demonstrated 20 different bugs in their successful exploits. As for Master of Pwn, the Chaitin Security Research Lab currently leads the competition with 14 points. With two separate tracks happening on Day Two – including the first VMWare escape of the contest – Master of Pwn is still anyone’s game.