Ubuntu Linux, Safari, Adobe Reader, And Edge Hacked At Pwn2Own 2017

At the Trend Micro-sponsored Pwn2Own 2017 competition, the security researchers were able to hack many popular software and applications like Ubuntu, Safari, Microsoft Edge, and Adobe Reader. This year’s hacking event features 11 contestant teams and 30 attempts in total. Linux OS which is famous in the world for its security, is now hacked because of some vulnerability. Also many other softwares were Hacked Yesterday..!

Before going further, I would tell you about Pwn2Own. Many of you might not be knowing it, I bet.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference, beginning in 2007. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited, a cash prize, and a "Masters" jacket celebrating the year of their win. The name "Pwn2Own" is derived from the fact that contestants must "pwn" or hack the device in order to "own" or win it. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

This year’s event marks the 10th year of this annual hacking competition. It’s also special as for the first time Linux was made a target. Specifically, Ubuntu Linux 16.10 was hacked along with other software like Microsoft Edge, Adobe Reader, and Apple Safari. This is the 10th anniversary of the Pwn2Own hacking contest, it was arranged by Trend Micro and the Zero Day Initiative (ZDI) that introduced new exploit categories.

11 Groups vie for a prize pool of $1 million, the products to hack are organized into five categories, virtual machine (VM) escapes, web browsers and plugins, local privilege escalation, enterprise applications, and server side.

On the first day, the participants earned a total of $233,000 to have disclosed exploits.

Adobe Reader Hacked..!

The day started with the success of a success the researcher @mj011sec from Chinese security firm Qihoo360 who earned $50,000 for hacking Adobe Reader on Windows and his team win 6 points towards Master of Pwn.

The hacker and his team exploited a jpeg2000 heap overflow in Adobe Reader, a Windows kernel info leak, and an RCE through an uninitialized buffer in the Windows kernel to take down Adobe Reader. In the process, they have earned themselves $50,000 USD and 6 points towards Master of Pwn.

Adobe Reader was also successfully hacked by components of the Team Sniper from Tencent Security. The hackers exploited use-after-free and information disclosure flaws to achieve code execution, and a use-after-free in the kernel to obtain SYSTEM-level permissions. The team earned $25,000 for its exploits and 6 Master of Pwn points.

Apple Safari Hacked..!

Mid-morning researchers Samuel Groß (@5aelo) and Niklas Baumstark (_niklasb) partially hacked Apple Safari with an escalation to root on macOS. The duo used a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate to root in macOS. They were prized with earn style points for displaying a special message on the targeted Mac’s touch bar, they earned $28,000 USD and 9 Master of Pwn points.macOS.

They were prized with earn style points for displaying a special message on the targeted Mac’s touch bar, they earned $28,000 USD and 9 Master of Pwn points.macOS.

Hacked Ubuntu and Safari..!

In the afternoon the Chaitin Security Research Lab (@ChaitinTech) hacked Ubuntu Desktop exploiting a Linux kernel heap out-of-bound access, they earned $15,000 and 3 Master of Pwn points. This is the first time for an Ubuntu Linux hack at the Pwn2Own.

The same group reached another success at the end of the day hacking Apple Safari with an escalation to root on macOS.

The attack chained a total of six bugs, including an info disclosure in Safari, four different type confusions bugs in the browser, and a UAF in WindowServer.  The team earned $35,000 and 11 points towards Master of Pwn.Master of Pwn.

Hacked Microsoft Edge..!

The highest reward,$80,000, was assigned to the Tencent Security’s Team Ether for hack Microsoft’s Edge browser leveraging an arbitrary write bug in Chakra and a logic bug to escape the sandbox. The team of hackers earned $80,000 and 10 points for Master of Pwn.

Of course, there were also some failed attempts at the Pwn2Own 2017, the Tencent Security – Team Sniper (Keen Lab and PC Mgr) that targeted Google Chrome with a SYSTEM-level escalation were not able to complete their exploit chain within the allotted time.

The researchers Richard Zhu (fluorescence) targeting Apple Safari with an escalation to root on macOS did not complete the exploit chain within the allotted time too.did not complete the exploit chain within the allotted time too.

Team Ether had signed up to hack Windows as well, but they withdrew the entry as well as the researcher Ralf-Philipp Weinmann, who attempted the Edge hack.

To know more about Pwn2Own, visit its YouTube Channel here...