Windows, macOS Hacked at Pwn2Own 2017

Researchers hacked Windows, macOS, Firefox, Edge, Safari and Flash Player on the second day of the Pwn2Own 2017 competition taking place these days alongside the CanSecWest conference in Vancouver, Canada.

On the first day, participants successfully demonstrated exploits against Edge, Safari, Ubuntu and Adobe Reader, taking home over $230,000 of the $1 million prize pool. On the second day, white hat hackers earned $340,000 for their exploits.

Adobe Flash Player was successfully targeted by both Qihoo360’s 360 Security team and Tencent’s Team Sniper, each earning $40,000 for their exploits. 360 Security used four bugs, while Team Sniper leveraged two use-after-free vulnerabilities.

The Qihoo360 team also managed to break Apple’s macOS operating system, earning $10,000 for a privilege escalation that involved an information disclosure flaw and a race condition in the kernel. The same amount was earned by the Chaitin Security Research Lab team, which elevated privileges on macOS via an information disclosure bug and an out-of-bounds in the kernel.

360 Security also earned $35,000 for hacking Apple’s Safari browser and escalating privileges to root on macOS. Team Sniper was paid the same amount for an exploit chain that achieved the same goal.

The Windows operating system was hacked by both 360 Security and Team Sniper, each taking home $15,000 for exploits that involved out-of-bounds and integer overflow vulnerabilities in the kernel.

Microsoft’s Edge browser was successfully targeted on the second day of Pwn2Own 2017 by two groups from Tencent: Team Sniper and Sword Team. They each received $55,000 for disclosing their exploits.

Mozilla Firefox was hacked by the Chaitin Security team via an integer overflow in the browser and an uninitialized buffer weakness in the Windows kernel for privilege escalation. Moritz Jodeit of Blue Frost Security also targeted Firefox, but failed to complete the exploit chain in the allocated timeframe.

Some of the Tencent teams – the Chinese firm had four teams in the competition – withdrew their entries or were disqualified for not using zero-day vulnerabilities.

Due to the unprecedented number of contestants and entries, some of the exploits will be demonstrated on the third day of the event, when participants will take a crack at Edge, including with a VM escape, and VMware Workstation. Depending on the results, the total amount paid out this year could exceed $800,000, nearly double compared to Pwn2Own 2016. 

Hackers Earn Big Bounties for GitHub Enterprise Flaws

White hat hackers have earned tens of thousands of dollars in bounties after finding serious vulnerabilities in GitHub Enterprise.

GitHub Enterprise is the on-premises version of GitHub.com, for which organizations pay an annual fee of $2,500 for every 10 users. The product promises enterprise-grade security, 24/7 technical support, hosting options, and several administration features not available for GitHub.com.

GitHub Enterprise versions 2.8.5, 2.8.6 and 2.8.7, released in January, patch several flaws rated critical and high severity, including ones that can be exploited to bypass authentication and remotely execute arbitrary code.

The researchers who discovered the vulnerabilities have started making their findings public, and information from GitHub and the experts themselves shows that they earned significant rewards.

GitHub included the Enterprise product in its bug bounty program at the beginning of the year, when it announced that the most severe bugs reported in January and February would also receive bonus rewards.

Two of the vulnerabilities rated critical were identified by Greece-based researcher Ioannis Kakavas. The expert discovered a couple of flaws in the Security Assertion Markup Language (SAML) implementation of GitHub Enterprise, and received a research grant to conduct a full assessment of SAML in GitHub.

Kakavas, who is currently the second best hacker in GitHub’s bug bounty program, earned a total of $27,000 for the flaws he uncovered. He recently published a blog post containing technical details and proof-of-concept (PoC) code.

Another critical flaw was discovered by German bug bounty hunter Markus Fenske. The expert found a weakness in the management console that could have been exploited to execute arbitrary commands on the GitHub Enterprise appliance.

Fenske has received a total of $18,000 for his findings, which includes a $10,000 bounty, the maximum reward offered by GitHub, and an $8,000 bonus.

Researcher Orange Tsai, who last year managed to hack a Facebook server, received $5,000 and a $5,000 bonus for responsibly disclosing a high severity SQL injection vulnerability related to the pre-receive hook APIs used by GitHub Enterprise.

GitHub said there was no evidence that the vulnerabilities identified by Fenske and Kakavas had been exploited in the wild.