The second and final day of Pwn2Own 2015 saw all major browsers fall to hackathon participants—including a sub-second compromise of Mozilla Firefox and a whopping $110,000 Google Chrome payout.
HP’s Zero-Day Initiative (ZDI) annual hacking content—colocated as always with CanSecWest—saw payouts totaling $240,000, making for a grand, two-day total of $557,500. Researchers also won laptops, ZDI points and other prizes.
JungHoon Lee was the day’s most-valuable player, netting the single-biggest payout in Pwn2Own history for an exploit that affected both the stable and beta versions of Google Chrome. He won $75,000 USD for the Chrome bug, an extra $25,000 for a privilege escalation to SYSTEM and another $10,000 from Google for hitting the beta version, for a grand total of $110,000.
That means that he earned roughly per $916 second for his two-minute demonstration.
Lee leveraged a buffer overflow race condition in Chrome, then used an info leak and race condition in two Windows kernel drivers to get SYSTEM access.
He also managed to take out 64-bit Internet Explorer 11 with a time-of-check to time-of-use (TOCTOU) vulnerability allowing for read/write privileges.
“He evaded all the defensive mechanisms by using a sandbox escape through privileged JavaScript injection, all of which resulted in medium-integrity code execution,” explained HP’s Dustin Childs, in his recap. “This got his day started out right with a payout of $65,000.”
But he wasn’t finished wreaking havoc. He also pwned Apple Safari using a use-after-free (UAF) vulnerability in an uninitialized stack pointer in the browser, and bypassed the sandbox for code execution. That added $50,000 to his total, which ended up standing at $225,000.
The aforementioned sub-second exploit meanwhile was accomplished by a hacker with the handle ilxu1a, who used an out-of-bounds read/write vulnerability leading to medium-integrity code execution in FireFox. He earned $15,000 for his efforts.
“It happened so quickly that those of us who blinked missed it—although in our defense, it was sub-second execution,” said Childs.“ He reports he found the bug through static analysis, which is truly impressive.”
ilxu1a also attempted to exploit Google Chrome, but ran out of time.
Including the first day results, Pwn2Own 2015 uncovered five bugs in the Windows operating system, four in Internet Explorer 11, three each in Mozilla Firefox, Adobe Reader and Adobe Flash, two in Apple Safari and one bug in Google Chrome.
“As with every Pwn2Own, all vulnerabilities were disclosed to their respective vendors in our ‘Chamber of Disclosures,’ and each vendor is working to fix these bugs through their own processes,” Childs said.