Stories
Slash Boxes
Comments

SoylentNews is people

Hackers Detail the Blood and Guts of the 2016 Pwn2Own Exploit Expo

posted by janrinok on Monday August 08 2016, @03:33PM   Printer-friendly
from the be-safe-out-there dept.

Arthur T Knackerbracket has found the following story:

The quartet of Matt Molinyawe, Abdul-aziz Hariri, Jasiel Spelman, and Jason Smith of Trend Micro's Zero Day Initiative vulnerability clearing house detailed and demonstrated the devastating white hat hacks during their presentations at the Black Hat conference in Las Vegas.

They walked delegates through the exploitation steps of the eight successful Pwn2Own hacks pulled off at the Pwn2Own competition in March, recapping the steps and the 21 vulnerabilities which lead to digital goring of Chrome, Safari, Microsoft Edge, Apple OS X, and Adobe Flash.

"The winning submissions to Pwn2Own 2016 provided unprecedented insight into the state-of-the-art techniques in software exploitation" the quartet says in a 65-page technical paper [PDF] published after the talk.

"Every successful submission provided remote code execution as the super user (SYSTEM/root) via the browser or a default browser plug-in … attained through the exploitation of the Microsoft Windows or Apple OS X kernel."

[...] "Application sandboxing is a step in the right direction, but the kernel attack surface remains expansive and exposed," they say. "Each of the winning entries was able to avoid the sandboxing mitigations by leveraging vulnerabilities in the underlying OSs."

Mitigations that isolate access to kernel APIs from sandboxed processes will add hurdles to frustrate future attempts to pop god-mode shells, they say.

Presentation slides are also available as a PDF. ®

Original Submission

 
This discussion has been archived. No new comments can be posted.
Hackers Detail the Blood and Guts of the 2016 Pwn2Own Exploit Expo | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Touché) by Anonymous Coward on Monday August 08 2016, @03:51PM

    by Anonymous Coward on Monday August 08 2016, @03:51PM (#385334)

    Will I get owned by opening the presentation slides?

    Starting Score:    0  points
    Moderation   +1  
       Touché=1, Total=1
    Extra 'Touché' Modifier   0  
    Total Score:   1  

  • (Score: 2) by bob_super on Monday August 08 2016, @07:18PM

    by bob_super (1357) on Monday August 08 2016, @07:18PM (#385424)

    It's from the white hat guys, so you won't get "owned".
    You're just auto-enrolled into a confirmation study.

  • (Score: 1, Interesting) by Anonymous Coward on Monday August 08 2016, @10:55PM

    by Anonymous Coward on Monday August 08 2016, @10:55PM (#385523)

    From VT, 4a4a5e09e9e3ae0a15de0d88976e25fef75cf903ea0e8cc4edf90fd928406699, doesn't contain any open action, auto action or scripting. So, they'd have to get you on one of the more difficult parts of the PDF specification. However, there are a fair number of images and other resources included in the PDF.

    As an aside, I hate the news websites that take documents from other websites and then add a telemetry gatherer as an open and auto action to the PDF. As soon as I see that, I blacklist the website. If they are not trustworthy enough not to touch the PDF file to ad tracking code, how can I trust they didn't change anything else?

  • (Score: 0) by Anonymous Coward on Monday August 08 2016, @11:37PM

    by Anonymous Coward on Monday August 08 2016, @11:37PM (#385538)

    Try Sumatra PDF reader and/or Evince.

    FWIW, Evince is not *nix only, they have a Windows binary.