14 DAY TRIAL // South Korean vulnerability researcher JungHoon Lee, better known in the security industry by the “lokihardt” online moniker, managed to score $110,000 / €102,000, the biggest payout in Pwn2Own history, with an exploit for Chrome browser, which was broken in about two minutes.
The pwnage was achieved through three zero-day vulnerabilities, one in Chrome and two in Windows OS that helped him elevate rights on the targeted machine to system level.
Exploiting Chrome lasted about two minutes
Lee’s exploit for Chrome required writing more than 2,000 lines of Native Client code, which he had never done before. It consisted in taking advantage of a buffer overflow race condition, which affected both the stable and the beta versions of the web browser.
He received a $75,000 / €70,500 bounty for the Chrome bug and an extra $10,000 / €9,500 from Google for showing it on the beta release.
The next steps of the attack required leveraging an info leak and a race condition vulnerability in two different Windows drivers, which added $25,000 / €23,500 to the reward.
“To put it another way, lokihardt earned roughly $916 [€849] a second for his two-minute demonstration,” says Dustin Childs, senior security content developer at HP’s Security Research division.
TOCTOU takes down IE 11, Safari falls for UAF
During the competition, the researcher also managed to bring down the 64-bit version of Internet Explorer 11 with a time-of-check to time-of-use (TOCTOU) weakness that gave him read/write permission.
The security defenses were bypassed with a sandbox escape through privileged JavaScript injection, which led to medium-integrity code execution; the reward for busting Microsoft’s browser was $65,000 / €61,100.
A third hacking session saw Lee take out Apple’s Safari. This was possible through a use-after-free (UAF) vulnerability in an uninitialized stack pointer and he managed to get his code to work outside the browser sandbox. The reward: $50,000 / €47,000.
Info leak trouble prevented second Chrome pwnage
The second competitor in the second day of Pwn2Own was ilxu1a, who attacked Mozilla Firefox by exploiting an out-of-bounds read/write vulnerability that led to medium-integrity code execution. The entire process took less than a second to complete. Proving and disclosing the bug earned him $15,000 / €14,000.
He also tried to jab Chrome with exploit code but encountered trouble with his info leak attempt and could not finish the pwnage in the allotted 30 minutes.
This year’s Pwn2Own saw a total of 21 zero-day vulnerabilities in widespread products: Adobe Flash Player and Reader, Internet Explorer, Mozilla Firefox, Google Chrome, Safari and Windows.
The sponsors of the competition, HP and Google Project Zero, paid a total of $557,500 / €517,500 to researchers, excluding the non-cash prizes, such as the machines they managed to gain complete control over.
[UPDATE, March 21]: Mozilla released build 36.0.3 for Firefox, which fixes the vulnerabilities demonstrated at Pwn2Own 2015.
HP wrapped up the events at Pwn2Own day two in the video below:
The previous version of article incorrectly informed that the number of code lines for the Google Chrome exploit was 20,000, instead of 2,000.
