Qihoo 360 Security Team
Security Team of Qihoo 360 achieved the first full VM escape in Pwn2Own history - Image: Latest Hacking News

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference, beginning in 2007.

Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Should contestants manage to exploit vulnerabilities, the Zero Day Initiative (ZDI), rewards them.

In Pwn2Own 2017, several contestants put Microsoft Edge to the test. Four different teams and Richard Zhu (fluorescence) have managed to exploit Microsoft’s browser.

The Security Team of Qihoo 360 earned $120.000 in total, while three teams from Tencent Security won $150.000. Richard Zhu (fluorescence) was rewarded with $55.000.

Qihoo 360 achieves full VM escape

Qihoo 360’s Security Team has succeeded on a complete virtual machine escape through Microsoft Edge.

The group leveraged a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMWare Workstation.

These three bugs earned Qihoo 360’s Security Team a total of $105.000. Their code demonstration needed just 90 seconds. In addition, the team has successfully exploited Microsoft Windows with an out-of-bounds (OOB) bug in the Windows kernel.

The virtual machine escape is the process of breaking out of a virtual machine and interacting with the host operating system. A heap overflow is a type of buffer overflow that occurs in the heap data area. To learn more about heap overflow, read here.

Team Ether escape the Microsoft Edge sandbox

Team Ether of Tencent Security targeted Microsoft Edge and has succeeded by using an arbitrary write in Chakra (a JavaScript engine developed by Microsoft). The team managed to escape the sandbox using a logic bug within Microsoft Edge’s sandbox, winning $80.000.

In computer security, the sandbox is a security mechanism for separating running programs.

Sandbox is often used to execute untested or untrusted programs or code, without risking harm to the host machine or operating system.

Lance, Sniper elevate privilege to SYSTEM

Team Lance of Tencent Security has managed to exploit Microsoft Edge by using a UAF in Chakra and escalated privilege to SYSTEM by using a UAF in Windows kernel. The group won $55.000.

Another team from Tencent Security, Team Sniper, has carried out the same exploit as Team Lance, also winning $55.000.

Tencent Security's Team Sniper
Team Sniper of Tencent Security won $55.000 for exploiting Microsoft Edge – Image: Threatpost

The UAF (Use After Free) is a type of memory corruption flaw that hackers can leverage to execute arbitrary code. Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an OS or software app to gain elevated access to resources that are normally under protection.

Finally, Richard Zhu (fluorescence) has managed to leverage two separate UAF bugs in Microsoft Edge. He then escalated to SYSTEM using a buffer overflow in the Windows kernel and earned $55.000.