Hackers took down Apple Safari, VMware Workstation, and Oracle VirtualBox on Wednesday, the first day of Pwn2Own, the annual hacking competition held in tandem with the CanSecWest conference in Vancouver.
Contestants with the team of Fluoroacetate (Amat Cama and Richard Zhu) were the first to hit pay dirt; hacking Apple’s Safari browser via escaping the sandbox. The team used an integer overflow in the browser and a heap overflow to escape the sandbox. The attack took hours, using a brute force technique, eventually earning the team $55,000.
The takedown would be the first of three for the Fluoroacetate team on Wednesday. Later in the day Cama and Zhu focused their attention on the virtualization category and Oracle’s VirtualBox. Oracle VirtualBox is a free and open-source hypervisor for x86-class computers.
Successful VM escape exploit. Impressive work by Amat Cama and Richard Zhu #Pwn2Own pic.twitter.com/y0pSMYjI2l
— Ryan Naraine (@ryanaraine) March 20, 2019
Fluoroacetate was able to “pop calc” (open the calculator app) on the VirtualBox using an integer underflow and a race condition to escalate from the virtual client, according to the write-up of the event by Zero Day Initiative. After their first failed attempt – tied to a botched memory leak attempt – things aligned and a successful code execution (opening of the calculator app) earned the two-person team $35,000.
Rounding out Fluoroacetate’s trifecta of successful hacks was a compromise of the VMware Workstation. By leveraging an race condition and chaining it to an out-of-bounds write the team was able to jump from the virtual client to executing code on the underlying host operating system, ZDI reported. That hack earned the team $70,000, bringing their total to $160,000 for the day.
The Oracle VirtualBox took a second beating by hacker team Anhdaden of STAR Labs. They used an integer underflow to escalate from the virtual client to execute his code on the hypervisor at medium integrity, ZDI reported: “[Anhdaden] used a unique integer underflow different than the previously demonstrated underflow. His first foray into Pwn2own netted him $35,000.”
Three hackers only identified by their Twitter handles (@_niklasb @qwertyoruiopz and @bkth_) that were part of a team called Phoenhex and Qwerty Team, received partial credit for hacking Apple Safari with a kernel elevation. The three demonstrated a complete system compromise.
“By browsing to their website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug,” ZDI wrote.
The team only received partial credit because Apple already knew of one of the bugs used in the attack. Nevertheless, they were awarded $45,000 for their efforts.
In total, day one of the two-day Pwn2Own hacking competition paid out $240,000.