14 DAY TRIAL // “All your web browser are belong to us” appear to have said contestants at Pwn2Own 2014. On the second day of the hacking competition, all major web browsers were found to be vulnerable.
If on the first day, contestants hacked Internet Explorer and Firefox, on the second day, they managed to “pwn” Safari, Firefox, Internet Explorer and Chrome. In addition to web browsers, on the second day, serious flaws were also found in Adobe Flash.
Let’s take a look at each of the vulnerabilities. First, an anonymous participant managed to execute arbitrary code in Chrome by leveraging an arbitrary read/write bug with a sandbox bypass. However, this has been catalogued as only partially valid as the vulnerability presented by the contestant collided with another flaw shown earlier at Pwnium.
Chrome has also been hacked by VUPEN, the team that earned a total of $300,000 (€215,000) the previous day. The team has managed to break Google’s web browser with a use-after-free affecting the WebKit and Blink. Combined with a sandbox bypass they’ve found, they’ve managed to execute arbitrary code.
Zeguang Zhou of team509 and Liang Chen of Keen Team have managed to break Adobe Flash with a heap overflow vulnerability and a sandbox bypass.
Chen of the Chinese Keen Team has also managed to execute code in Safari through a heap overflow and a sandbox bypass. Safari was also hacked on day one of the competition, but part of Pwn4Fun, a new challenge in which ZDI and Google experts presented their exploits. All money went to the Canadian Red Cross.
George Hotz has found an out-of-bound read/write security hole resulting in code execution in Firefox. Sebastian Apelt and Andreas Schmidt have managed to find two use-after-free bugs and a kernel flaw in Internet Explorer.
The total prize money given out at Pwn2Own 2014, without the amount that goes to charity, is $850,000 / €613,000. Contestants have also been rewarded with ZDI points, laptops and other prizes. All vulnerabilities have been disclosed to vendors.
Pwn2Own 2014 has broken the record for number of entries.
Interestingly, no one took a crack at Oracle Java, although this might be explained by the fact that the prize for hacking Java has been of only $30,000 (€22,000).
Unsurprisingly, no one managed to take the “Exploit Unicorn” grand prize. As part of this new challenge, organizers were prepared to hand out $150,000 (€111,000) to the researcher who demonstrated SYSTEM-level code execution on Windows 8.1 x64 on IE 11 x64 with EMET bypass.