Skip Links

Pwn Fest: Hackers Shame IE9, Chrome, Firefox in Pwn2Own & Pwnium

The three day pwn fest of Pwn2Own and Pwnium is over and white hat hackers managed to shame IE9, Chrome and Firefox.

By Ms. Smith on Sun, 03/11/12 - 4:27pm.

During the three-day CanSecWest security conference in Canada, the four browser targets for Pwn2Own were Microsoft Internet Explorer, Apple Safari, Google Chrome and Mozilla Firefox, all of which were running "the latest, fully patched version of either Windows 7 or Lion." The rules for Pwn2Own changed this year "from who can hack a browser faster, as it was in previous editions, to who can write the highest number of reliable exploits." Another huge change was that Google had its own $1 million Pwnium contest. Oddly enough, the only browser that survived pwn-fest shame was Safari -- but that's surely because nobody attempted to take it on.

Unlike last year when nobody tried to topple Chrome, Google set up big, juicy prize money for Pwnium and then paid out two $60,000 cash awards to two hackers and managed to patch the vulnerabilities in a turnaround time of less than 24 hours. Pwnium called French security firm Vupen's Flash pwn a "consolation prize." This left $880,000 of cash prizes remaining which will now be "distributed to the Chrome Security Team."

That money was well earned by the Chrome security team who must have expected Vupen to attempt exploiting the Flash Player plugin in Chrome. Chrome security folks crafted the signature 0xABAD1DEA to be generated when the Flash vulnerability was triggered. According to ZDNet, Google set the exploit trap for the Vupen security team. "On March 5, the protection was added to Google Chrome 17.0.963.65. When the protection triggers, it generates a very unique signature - 0xABAD1DEA - which is hexidecimal that spells out 'a bad idea.' The protection was meant to make the browser resilient to certain attacks but in a bit of cat-and-mouse, it was left in there to see if anyone would find it and make a public comment." Sure enough Vupen did bite and Nicolas Joly tweeted twice about 0xABAD1DEA. As you might recall, Vupen exclusively sells exploits to the government . . . which some of us consider another 'bad idea.'

Perhaps the sweetest hacking of all was from a teenager who goes by Pinkie Pie. He toppled Chrome and made a "booby-trapped website display a picture of a pink pony wielding a medieval axe." Wired reported, "Just hours before the end of Google's $1 million hack challenge, a teenager who once applied to work at Google without getting a response, hacked the company's Chrome browser using three zero-day vulnerabilities, one of which allowed him to escape the browser's security sandbox." ArsTechnica noted that the advisory accompanying the update for Windows, Mac, and Linux versions of Chrome stated, "Congratulations to PinkiePie (aka PwniePie) for a beautiful piece of work to close out the Pwnium competition!" Referring to an exploit unleashed on Wednesday, it continued: 'We also believe that both submissions are works of art and deserve wider sharing and recognition'."

Pinkie Pie walked away with $60,000 as did Sergey Glaznov who was the first to pwn Chrome by bundling vulnerabilities. Glaznov, a Russian researcher, is a "member of the Chromium Hall of Fame for finding Chrome bugs and recipient previously of about $88,000 for finding Chrome bugs."

Although Vupen tweeted, "The first day of #pwn2own was great, we pwned all browsers: Chrome with 0day, Firefox/IE/Safari with CVEs," Pwn2Own tweeted that Safari was the only browser not to succumb to white hat hackers . . .  but then again, it most likely didn't fall because "nobody attempted an exploit against Safari."

On the second day of the Pwn2Own contest, Internet Explorer 9 was the second browser targeted and taken down by Vupen. On a fully patched 64-bit Windows 7 with Service Pack 1, Vupen attacked with two zero-day exploits "to fully bypass ASLR/DEP + Protected Mode." VUPEN co-founder Chaouki Bekrar told ZDNet, "The Internet Explorer flaws went undetected for a very long time. This goes all the way back to IE 6. It will work on IE 6 all the way to IE 10 on Windows 8." In regard to the IE 9 hack, Bekrar told SecurityNewsDaily "We used only a specially crafted Web page. There was no user interaction, no downloading, no pop-ups, no message box to accept. It was a 'visit and get pwned' exploit." It took the Vupen team "seven weeks to craft the IE 9 exploit."

Firefox also fell to two researchers, Willem Pinckaers and Vincenzo Iozzo, who won $30,000 by using the same exploit three times. After "demonstrating the drive-by download attack for Pwn2Own organizers," Pinckaers told ZDNet, "We triggered the same vulnerability three times. We used it once to leak some information, the used it again to leak addresses of our data. Then, we used the same vulnerability a third time get code execution." It took one day for Pinckaers to write the exploit after Iozzo found the vulnerability.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic