on the third and last day of 2017 Pwn2Own hacker competition 360 Security staff have an error in the -demonstration browser edge that allowed them to compromise a virtual machine and execute arbitrary code on the host operating system. The screening needed only 90 seconds, as Dustin Childs initiative in a blog entry holds zero day from trend Micros.
the heap overflow in edge the researchers combined with a type confusion bug in the kernel of that was running in a virtual machine. An uninitialized buffer in VMware Workstation finally paved the way for the complete escape from the virtual machine. All three bugs together the researchers earned 105,000 dollars in prize money.
the team sniper of the also Chinese security provider Tencent security tried to the end of the third day also at a guest-to-host-escape. You used a use-after-free bug in the Windows kernel, as well as two other vulnerabilities in VMware Workstation, also without permission to leave the virtual machine and the host operating system to attack successfully. Also the team sniper cashed the $100,000 reward it promised.
in addition presented the security researcher Richard Zhu another vulnerability in edge. He could run two use-after-free bug and a buffer overflow in the Windows kernel code outside the sandbox of the browser – only at the second attempt. He nevertheless won a premium of 55,000 dollars.
a total researchers showed during Pwn2Own 2017 51 previously unknown vulnerabilities. The Organizer also pour $833.000 of the participating researchers and companies, which were also known as pwn points for each bug. Of 360 Security in the course of the competition 63, secured which earned the company the title of “Master of Pwn”. The team sniper of Tencent security ended up with 60 points in second place, followed by Chaitlin security research lab with 26 points. Also, the participants, each year were allowed to keep the notebook computers compromised by them.
on the first two days of also Ubuntu Linux, reader and Flash Player, Firefox and Safari to the victims. Were not attacked and the Microsoft – applications Word, Excel, and PowerPoint. In addition, there was no attempt, Apache Web server on Ubuntu Server to crack that would have at least earned a prize money of 200,000 dollars.
[withmaterialbyChrisDuckett ZDNet.com ]
tip : you know the most famous hacker? Check your knowledge – with 15 questions on silicon.de.