This year’s hackathon, Pwn2Own 2017, played host to a great deal of hacks and exploits for various browsers, software, and operating systems, and many teams walked away thousands of dollars richer. Microsoft came out with the most hacked browser, paying out five teams in bounties for hacking the Edge browser in Windows 10, while Google Chrome had no successful hacks during the competition weekend. Apple’s Safari browser had three successful hacks with elevation privileges to take control of Mac OS Sierra, and Firefox had only one successful exploit. However, this year’s event played host to an astonishing virtual machine escape that would have lead to complete destruction of any online services that hosted virtual machine instances through VMWare.
The virtual machine escape exploit was easily the most impressive one in the competition, and also the first one that was demonstrated on the first day of the event. 360 Security, a group of hackers that consults for various companies, managed the breakout in 90 seconds. The first attack was a heap overflow attack on the Edge browser, which gave them privileges across the virtual machine instance. The second attack was a type confusion exploit in Windows, which targeted the Windows kernel by not correctly identifying to the kernel what code it was trying to get it to run. With kernel access (already an ungodly amount of power), they then proceeded to exploit an unused memory buffer in the kernel which affected the VMWare Workstation host server, giving them root access to the server and control of the entire system.
This kind of attack is incredible for two reasons. One, it targets Microsoft Edge, which every version of Windows 10 ships with. Edge browser needs to be updated to guard against the first attack, but many people try to disable Windows 10 automatic updates or defer upgrades because the timing of an update doesn’t suit them. Only one unpatched virtual machine needs to be running to allow the first and second attack to take place. Even if you’re a company with a million virtual machines running Windows 10, and all but one of them is updated fully, it’s just that one instance that makes you vulnerable to the attack displayed at Pwn2Own.
Second, the speed at which it was done, and the fact that it was a virtual machine breakout, means that bringing down a company that relies on this kind of software becomes trivial. If Amazon used VMWare instancing in their AWS offering (thankfully they don’t), it would be simple to attack an instance of Windows 10 that you spin up yourself, get it to run the exploit, and then gain access to the server its hosted on to gain control of all the data on the server and access to every virtual machine currently running. That is the holy grail of hacks. Run up enough instances on different servers, and you can gain control of a sizeable portion of a network Amazon’s size.
The 360 Security team earned only $105,000 from this successful exploit from the million dollar prize pool. I say “only”, because that kind of exploit easily fetches millions of dollars on the black market. As a condition of the competition, all teams need to hand over their source code and details of the exploits to give the affected companies the chance to patch out these issues.