Safari exploit successfully demonstrated at Pwn2Own 2018

Posted:
in General Discussion
Trend Micro's Zero Day Initiative kicked off its annual Pwn2Own hacking competition on Wednesday with two attempts to exploit Apple's Safari web browser, one of which was successful.


Source: Zero Day Initiative via Twitter


Samuel Gro of phoenhex hacked Safari with a three bug chain containing a macOS elevation of privilege vulnerability, according to the convention's blog.

A press release provided additional detail, saying the exploit modified text on a MacBook Pro's touchbar. Gro received $65,000 for his efforts and six points toward the coveted Master of Pwn title.

A separate Safari exploit was attempted by Richard Zhu, who bypassed iPhone 7 security protocols using two Safari bugs at the Mobile Pwn2Own event in November. At Pwn2Own 2018, Zhu was unable to get his sandbox escape up and running within the allotted 30 minute time limit.

Zhu did, however, successfully target Microsoft Edge with a Windows kernel EoP, specifically two use after free (UAF) vulnerabilities and an integer overflow in the kernel.

Gro's phoenhex teammate Niklas Baumstark also saw partial success in a bug targeting Oracle VirtualBox.

Started in 2007, Pwn2Own is an annual hacking contest that encourages security researchers to find, share and demonstrate zero-day vulnerabilities impacting a range of modern software and hardware. Those successful get to keep the hacked device -- hence "pwn to own" -- receive a cash prize and, if they rack up enough points, a "masters" jacket, while vendors are given information about vulnerabilities and a chance to patch them.

This year, ZDI partnered with Microsoft and sponsor VMWare to offer $2 million in cash and prizes to hackers targeting virtualization, web browsers, enterprise applications, servers and a special Windows Insider Preview Challenge. Five contestants were selected at random take part in the two-day competition, which covers two of the target categories.

Day two of Pwn2Own commences on Thursday and will include two more attempts at Safari, including a macOS kernel EoP exploit and a sandbox escape.

Comments

  • Reply 1 of 17
    bluefire1bluefire1 Posts: 850member
    Apple will fix it soon enough.
    racerhomie3magman1979
  • Reply 2 of 17
    Dont worry plenty of other ways in. 
    lkrupp
  • Reply 3 of 17
    chasmchasm Posts: 1,049member
    These contests are very valuable in helping Apple (and the others) identify exploits and patch them. The Apple ones get all the press because, well, hacking other platforms is so easy and common I notice they don't even seem to have a category for Android hacks because you just call those ... wait for it ... "Android." (mic drop)
    racerhomie3magman1979dewmeseanismorrisStrangeDaysjony0
  • Reply 4 of 17
    welshdogwelshdog Posts: 1,638member
    More concerning is the organization's continued use of leetspeak in their name.  So childish.
  • Reply 5 of 17
    payecopayeco Posts: 230member
    welshdog said:
    More concerning is the organization's continued use of leetspeak in their name.  So childish.
    If the name of a hacking contest is causing you concern you should probably seek therapy.
    muthuk_vanalingambeowulfschmidtStrangeDaysjony0
  • Reply 6 of 17
    evilutionevilution Posts: 1,339member
    The hacks need access to the computer, so unless these hackers are also good at picking locks and immune to a baseball bat, I’m not concerned.
    kuduMuntz
  • Reply 7 of 17
    kimberlykimberly Posts: 167member
    payeco said:
    welshdog said:
    More concerning is the organization's continued use of leetspeak in their name.  So childish.
    If the name of a hacking contest is causing you concern you should probably seek therapy.
     :D  :D :D
  • Reply 8 of 17
    bloggerblogbloggerblog Posts: 1,807member
    evilution said:
    The hacks need access to the computer, so unless these hackers are also good at picking locks and immune to a baseball bat, I’m not concerned.
    It seems that it was done using code that was run in Safari. The concern is that a website could contain similar malicious code and hack into a visitor’s OSX.

    However it’s unclear how he changed the text on the touchbar, was it done in the OS, or within Safari’s sandbox? I think it’s the latter. If so it means he wouldn’t be able to do damage to the OS.

    Eitherway, 65K is a lot of dough and 30min is little time.
  • Reply 9 of 17
    hexclockhexclock Posts: 456member
    payeco said:
    welshdog said:
    More concerning is the organization's continued use of leetspeak in their name.  So childish.
    If the name of a hacking contest is causing you concern you should probably seek therapy.
    It’s just that hackers use such pretentious names.
    lkruppwelshdog
  • Reply 10 of 17
    lkrupplkrupp Posts: 6,530member
    hexclock said:
    payeco said:
    welshdog said:
    More concerning is the organization's continued use of leetspeak in their name.  So childish.
    If the name of a hacking contest is causing you concern you should probably seek therapy.
    It’s just that hackers use such pretentious names.
    I’ve met a few of these types in my day. A lot of them are in or close to the Autism spectrum. To call them strange ducks is being kind. But we need ‘em in the worst way to keeping poking around. Code is so huge and complicated these days that no one but these types can figure things out. Their one quality is intense focus and blocking out everything else.
    edited March 2018 seanismorrisairmanchairmanjony0
  • Reply 11 of 17
    lkrupplkrupp Posts: 6,530member
    Oh, and for those who will come into this thread and claim they use Browser X because it’s more secure than Safari, that’s complete bullshit. They all hove holes, ALL of them can and have been hacked yet they all claim to be the most “secure” browser, including Apple’s Safari.
    edited March 2018
  • Reply 12 of 17
    _rick_v__rick_v_ Posts: 141member
    As others have already pointed out, Safari isn't the only browser targeted.  Historically, all of them get successfully hacked. 

    And the security contest doesn't just target browsers; they also target other popular web-connected apps like Adobe Acrobat, etc.  This year, they're adding virtual machines to the mix, which makes things quite interesting!

    https://www.thezdi.com/blog/2018/1/25/pwn2own-returns-for-2018-partners-with-microsoft-and-sponsored-by-vmware



  • Reply 13 of 17
    dysamoriadysamoria Posts: 1,884member
    Missing word. Second-last paragraph, last sentence...
  • Reply 14 of 17
    StrangeDaysStrangeDays Posts: 6,264member
    hexclock said:
    payeco said:
    welshdog said:
    More concerning is the organization's continued use of leetspeak in their name.  So childish.
    If the name of a hacking contest is causing you concern you should probably seek therapy.
    It’s just that hackers use such pretentious names.
    How is it any different than college and pro sports team names? it’s not. it’s just not your scene. 
    auxio
  • Reply 15 of 17
    Eitherway, 65K is a lot of dough and 30min is little time.
    LOL... Do you think he just came in cold and started "hacking" and happened to get lucky in 30 minutes? That's not how it works. He had 30 minutes to reproduce the hack, but the hack itself likely took him months to investigate and discover prior to this conference.
  • Reply 16 of 17
    LKrupp said:

    "I’ve met a few of these types in my day. A lot of them are in or close to the Autism spectrum. To call them strange ducks is being kind. But we need ‘em in the worst way to keeping poking around. Code is so huge and complicated these days that no one but these types can figure things out. Their one quality is intense focus and blocking out everything else."

    So true, if funny. Some of these types tend to blink eerily and do a POST (Power On Self Test) if you greet them and ask how they're doing!
    edited March 2018
  • Reply 17 of 17
    To me what would be more impressive is if they did the hacks from scratch on the day and not prepared them months in advance. That’s a sign of a great hacker but truth be told these hackers are really nothing but hacks.

    Truth is though that hacking is just as much a skill as programming. It’s the equivalent of being on a beach looking for a specific grain of sand and then finding it. We need these types of hackers, it’s the black hatters that need a kick in the balls or if female the Anchorman threat “punched in the ovaries” because they don’t tell anyone about the exploits they just exploit them for monetary gain.

    Those cryptoviruses that started showing up on Windows a couple of years ago are a classic example but grey hatters hacked those and provided the world with the keys. Two sides to every coin really.
Sign In or Register to comment.