Pwn2Own 2013 Recap

So, what happened at Pwn2Own this year? The question really should be: "What didn't happen at Pwn2Own this year?" Now that the dust has settled, let's step back and look at the carnage resulting from Pwn2Own!

 

Planning and Pre-Contest Patching

 

During planning for the contest, we wanted to re-define the objectives of the competition. With a clean slate in mind, we came up with four clear goals:

 

     1.  Increase Researcher Participation

     2.  Improve Attack Details

     3.  Speed up Disclosure Timelines

     4.  Re-establish Partnerships

 

To meet our revamped focus, we decided to increase the attack surface for the competition, not only to include browsers but also to add the most popular browser plug-ins into the mix (Adobe Flash, Adobe Reader, and Oracle Java). After much debate, the decision was made to require researchers to turn over their full exploit and vulnerability chain in order to win the prize package. We knew this requirement from the researcher would mean we needed to increase the prize package, which we did. This year contestants could win over half a million (USD) in cash and prizes during the competition for vulnerabilities and exploitation techniques. Google returned as a Pwn2Own sponsor and actually underwrote a portion of the winnings for all the targets.

 

laptop.jpg

 

The targeted vendors did their part to make it difficult for the Pwn2Own contestants, by releasing several patches immediately prior to the competition. In fact, Oracle released an update the day before Pwn2Own began. This last minute preparation by the vendors did not go unnoticed by the press or by our contestants.

 

"Microsoft this week patched 14 vulnerabilities in Internet Explorer (IE), preparing the browser for its time as a target early next month at the annual Pwn2Own hacking contest.

 

On Tuesday, Microsoft patched 57 vulnerabilities, including 14 affecting IE that were delivered in two separate security updates. One of those updates, MS13-009, fixed 13 flaws, a dozen of them judged "critical," the company's most serious threat rating."

 

-Gregg Keizer, TechWorld

 

Of course, MS13-009 was near and dear to our hearts as half of the CVEs referenced in that bulletin had come through HP's Zero Day Initiative. Researchers working through our program also heavily influenced one of the last minute Oracle  updates.

 

MWR_tweet.png

 

Exploit Artistry

 

On March 6, the first official day of the contest, we started the festivities with a live draw for position and timeslots. We also announced that - barring collisions in the submitted vulnerabilities - every exploit would be purchased. Oracle Java, the first target on the table, was successfully compromised by James Forshaw of Context Information Security. Shortly after, Joshua Drake of Accuvant also successfully exploited Java to win $20,000.

 

joshua_drake.jpgjames_forshaw.jpg   

 

 

 

 

 

 

 

 

 

 

VUPEN Security was the third contestant up to bat and the only one to target Microsoft's Internet Explorer 10 running on a Surface Pro tablet. Utilizing two 0-day vulnerabilities, they compromised the tablet and bypassed the sandbox to achieve medium integrity code execution. For extra style points, VUPEN Security achieved all of this without crashing the original process. Fresh off their win at Mobile Pwn2Own, Jon Butler and Nils of MWR Labs returned to target Google Chrome, and kept promising us something special. They delivered! Their attempt on Google Chrome was successful and didn't just gain code execution but SYSTEM-level code execution. That is right....SYSTEM! They utilized a type confusion bug in WebKit followed by a kernel-issue to achieve this.

 

MWR.jpgVUPEN.jpg   
 
SYSTEM.jpg

At the end of day 1, VUPEN Security went for the Pwn2Own "double tap" by targeting Mozilla Firefox and Oracle Java. At 5:30 p.m., VUPEN Security used a use-after-free plus a new Windows 7 ASLR/DEP bypass technique to compromise Firefox. One minute later, they used a heap overflow to pwn Oracle Java. What a day!

 

The following day began with a bang when VUPEN Security successfully compromised Adobe Flash by chaining three 0-day vulnerabilities to gain code execution. The exploit chain included an overflow, an ASLR bypass technique and an Internet Explorer 9 sandbox memory corruption vulnerability. George Hotz was the next contestant to win $70,000 by successfully exploiting Adobe Reader XI. At the end of the day, we received word that one of our pre-registered remote contestants, Ben Murphy, had found a proxy who was willing to demonstrate his exploit. A few clicks later, Oracle Java had again fallen to another 0-day, bringing the total to four unique Java vulnerabilities demonstrated at Pwn2Own. In the end, while Oracle Java was the most targeted, we actually responsibly disclosed the most vulnerabilities to Microsoft.

 

george_hotz.jpgVUPEN2.jpg

 

 

 

 

 

 

 

 

 

 

 

Chamber of Disclosure and the Aftermath

 

After a successful exploit attempt, the real fun began for the Zero Day Initiative team. Following the successful compromises, we ushered the contestants and the affected vendors into a debrief room to responsibly disclose the attack details in private. This room became known as the "Chamber of Disclosure". The communication that occurred in this room was probably the most entertaining part of he competition. The researcher and vendor communication was very insightful and, in the case of a multiple vendor compromise, the vendor-to-vendor repartee was quite enjoyable. In fact, several contestants verbally disclosed additional vulnerabilities/techniques to the on-site vendors.

 

 

awards.jpgstack.jpg   

 

 

 

 

 

 

 

 

 

One of the side benefits of the Pwn2Own competition is that a vendor can demonstrate their response agility to a vulnerability report. This year, the fastest vendor response went to Mozilla followed by Google. Nice work!

 

When all was said and done, HP's Zero Day Initiative gave away over a half million dollars in cash and prizes to the contestants, and disclosed double digit zero-day vulnerabilities to the affected vendors. This is by far the highest payout ever and a record number of disclosures.

 

We want to give special thanks to Dragos Ruiu and his team for hosting another outstanding conference in Vancouver, the individual competitors who took time to be a part of this event, and our co-sponsor Google. We look forward to working with everyone again in the future!

Labels: HPSR| pwn2own| ZDI
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.