Safari exploit successfully demonstrated at Pwn2Own 2018
Trend Micro's Zero Day Initiative kicked off its annual Pwn2Own hacking competition on Wednesday with two attempts to exploit Apple's Safari web browser, one of which was successful.
Samuel Gro of phoenhex hacked Safari with a three bug chain containing a macOS elevation of privilege vulnerability, according to the convention's blog.
A press release provided additional detail, saying the exploit modified text on a MacBook Pro's touchbar. Gro received $65,000 for his efforts and six points toward the coveted Master of Pwn title.
A separate Safari exploit was attempted by Richard Zhu, who bypassed iPhone 7 security protocols using two Safari bugs at the Mobile Pwn2Own event in November. At Pwn2Own 2018, Zhu was unable to get his sandbox escape up and running within the allotted 30 minute time limit.
Zhu did, however, successfully target Microsoft Edge with a Windows kernel EoP, specifically two use after free (UAF) vulnerabilities and an integer overflow in the kernel.
Gro's phoenhex teammate Niklas Baumstark also saw partial success in a bug targeting Oracle VirtualBox.
Started in 2007, Pwn2Own is an annual hacking contest that encourages security researchers to find, share and demonstrate zero-day vulnerabilities impacting a range of modern software and hardware. Those successful get to keep the hacked device -- hence "pwn to own" -- receive a cash prize and, if they rack up enough points, a "masters" jacket, while vendors are given information about vulnerabilities and a chance to patch them.
This year, ZDI partnered with Microsoft and sponsor VMWare to offer $2 million in cash and prizes to hackers targeting virtualization, web browsers, enterprise applications, servers and a special Windows Insider Preview Challenge. Five contestants were selected at random take part in the two-day competition, which covers two of the target categories.
Day two of Pwn2Own commences on Thursday and will include two more attempts at Safari, including a macOS kernel EoP exploit and a sandbox escape.
Samuel Gro of phoenhex hacked Safari with a three bug chain containing a macOS elevation of privilege vulnerability, according to the convention's blog.
A press release provided additional detail, saying the exploit modified text on a MacBook Pro's touchbar. Gro received $65,000 for his efforts and six points toward the coveted Master of Pwn title.
A separate Safari exploit was attempted by Richard Zhu, who bypassed iPhone 7 security protocols using two Safari bugs at the Mobile Pwn2Own event in November. At Pwn2Own 2018, Zhu was unable to get his sandbox escape up and running within the allotted 30 minute time limit.
Zhu did, however, successfully target Microsoft Edge with a Windows kernel EoP, specifically two use after free (UAF) vulnerabilities and an integer overflow in the kernel.
Gro's phoenhex teammate Niklas Baumstark also saw partial success in a bug targeting Oracle VirtualBox.
Started in 2007, Pwn2Own is an annual hacking contest that encourages security researchers to find, share and demonstrate zero-day vulnerabilities impacting a range of modern software and hardware. Those successful get to keep the hacked device -- hence "pwn to own" -- receive a cash prize and, if they rack up enough points, a "masters" jacket, while vendors are given information about vulnerabilities and a chance to patch them.
This year, ZDI partnered with Microsoft and sponsor VMWare to offer $2 million in cash and prizes to hackers targeting virtualization, web browsers, enterprise applications, servers and a special Windows Insider Preview Challenge. Five contestants were selected at random take part in the two-day competition, which covers two of the target categories.
Day two of Pwn2Own commences on Thursday and will include two more attempts at Safari, including a macOS kernel EoP exploit and a sandbox escape.
Comments
However it’s unclear how he changed the text on the touchbar, was it done in the OS, or within Safari’s sandbox? I think it’s the latter. If so it means he wouldn’t be able to do damage to the OS.
Eitherway, 65K is a lot of dough and 30min is little time.
And the security contest doesn't just target browsers; they also target other popular web-connected apps like Adobe Acrobat, etc. This year, they're adding virtual machines to the mix, which makes things quite interesting!
https://www.thezdi.com/blog/2018/1/25/pwn2own-returns-for-2018-partners-with-microsoft-and-sponsored-by-vmware
"I’ve met a few of these types in my day. A lot of them are in or close to the Autism spectrum. To call them strange ducks is being kind. But we need ‘em in the worst way to keeping poking around. Code is so huge and complicated these days that no one but these types can figure things out. Their one quality is intense focus and blocking out everything else."
So true, if funny. Some of these types tend to blink eerily and do a POST (Power On Self Test) if you greet them and ask how they're doing!
Truth is though that hacking is just as much a skill as programming. It’s the equivalent of being on a beach looking for a specific grain of sand and then finding it. We need these types of hackers, it’s the black hatters that need a kick in the balls or if female the Anchorman threat “punched in the ovaries” because they don’t tell anyone about the exploits they just exploit them for monetary gain.
Those cryptoviruses that started showing up on Windows a couple of years ago are a classic example but grey hatters hacked those and provided the world with the keys. Two sides to every coin really.