Hackers detail the blood and guts of the 2016 Pwn2Own exploit expo
Kernel carnage bashes browsers and punishes plug-ins
Black Hat Zero Day Initiative researchers have detailed the winning hacks of this year's Pwn2Own competition, painting a picture of broken browsers and owned systems.
The quartet of Matt Molinyawe, Abdul-aziz Hariri, Jasiel Spelman, and Jason Smith of Trend Micro's Zero Day Initiative vulnerability clearing house detailed and demonstrated the devastating white hat hacks during their presentations at the Black Hat conference in Las Vegas.
They walked delegates through the exploitation steps of the eight successful Pwn2Own hacks pulled off at the Pwn2Own competition in March, recapping the steps and the 21 vulnerabilities which lead to digital goring of Chrome, Safari, Microsoft Edge, Apple OS X, and Adobe Flash.
"The winning submissions to Pwn2Own 2016 provided unprecedented insight into the state-of-the-art techniques in software exploitation" the quartet says in a 65-page technical paper [PDF] published after the talk.
"Every successful submission provided remote code execution as the super user (SYSTEM/root) via the browser or a default browser plug-in … attained through the exploitation of the Microsoft Windows or Apple OS X kernel."
The attacks, detailed in a bid to improve the hacking chops of delegates, use different attack paths to achieve remote code execution using similar Kernel exploitation methods for attaining read and write capabilities.
Those exploitation methods using browsers as a first vector was rare in former Pwn2Own contests.
Molinyawe, Hariri, Spelman, and Smith say application sandboxing improvements have helped, but did not shutter the attacks used at the contest.
"Application sandboxing is a step in the right direction, but the kernel attack surface remains expansive and exposed," they say. "Each of the winning entries was able to avoid the sandboxing mitigations by leveraging vulnerabilities in the underlying OSs."
Mitigations that isolate access to kernel APIs from sandboxed processes will add hurdles to frustrate future attempts to pop god-mode shells, they say.
Presentation slides are also available as a PDF. ®
Sponsored: Becoming a Pragmatic Security Leader