Mozilla Firefox was exploited in less than a second

Mar 19, 2015 14:58 GMT  ·  By

The first day of the Pwn2Own hacking competition ended with participants successfully exploiting zero-day vulnerabilities in Mozilla Firefox, Internet Explorer 11, and Adobe’s Flash and Reader products chained with other security flaws that led to taking control over the targeted computer.

In total, the security researchers combined 13 undisclosed bugs into exploit chains and pocketed $317,500 / €298,000. The bonus for each system escalation flaw was set to $25,000 / €23,500.

Adobe Flash and Reader glitches successfully exploited

Zeguang Zhao (Team509), Peter, Jihui Lu, and wushi (KeenTeam) joined efforts and used a heap overflow remote code execution vulnerability in Adobe Flash and escalated local privileges in Windows kernel via a bug in TrueType fonts and gained unrestricted access to the machine.

They received $60,000 / €56,000 for the glitch in Flash and the system escalation bonus.

KeenTeam (Peter, Jihui Lu, Wen Xu, and wushi) took on Adobe Reader and leveraged an integer overflow weakness ($30,000 / €28,000), achieving pool corruption through a different TrueType font bug; this action allowed system escalation once more and owning of the machine.

Adobe Flash and Reader were again tested by security researcher Nicolas Jolly. In the allotted 30 minutes, he exploited a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker, which brought a $30,000 / €28,000 prize.

Jolly also brought Adobe Reader down relying on a stack buffer overflow vulnerability (info leak and remote code execution) followed by an integer overflow to exploit the broker; he said that the last part of the exploit chain was written on the way to the CanSecWest conference in Vancouver.

This added $60,000 / €56,000 into his pocket, increasing his payout for the day to $90,000 / €84,500.

Firefox and Internet Explorer 11 defenses were no match for the hackers

According to a post from HP, who co-sponsors the competition together with Google Project Zero, Firefox browser “knocked it out of the park through a cross-origin vulnerability followed by privilege escalation within the browser – all within .542 seconds” (yes, that’s less than a second).

Mariusz Mlynski is responsible for the deed, who continued the attack by executing a fundamental flaw to escalate to system privileges in Windows, whose details remain undisclosed until a fix is released; the netted cash in this case was $55,000 / €51,500, including the reward for gaining system rights.

The bug for Internet Explorer 11 was proved by a new contestant, 360Vulcan Team, who managed to compromise the 64-bit version of the browser through an uninitialized memory flaw that led to medium-integrity code execution and a reward of  $32,500 / €30,500.

The vulnerability tally for the first Pwn2Own day is 3 bugs in Adobe Reader, 3 bugs in Adobe Flash, 3 bugs in Windows, 2 bugs in Internet Explorer 11 and 2 in Mozilla Firefox.

A video with a summary of the first day of Pwn2Own 2015 has been published by HP Security Research unit:

Pwn2Own 2015 - Day 1 (4 Images)

Nicolas Jolly (right) took down Adobe Reader and Flash
Mariusz Mlynski showed a logical flaw in WindowsKeenTeam also exploited zero-days in Adobe Reader and Flash Player
+1more