Virtual machine escape fetches $105,000 at Pwn2Own hacking contest

Pwn2Own 2017 contest, an annually computer hacking contest, has ended in March 17. During the three-day contest, Google Chrome remained unscratched; Mozilla Firefox fell once; Apple’s Safari was taken down fourth and numbers of flaws were found from its new-developed Touch Bar; Two exploits were found on both Adobe Reader and Flash Player. One impressive thing on this contest was that two teams,360 Security and Tencent Security both from China successfully completed virtual machine escapes on the third day. Virtual machines are usually used to create an isolated environment that poses no threat to the host operating system in case of compromise. One of the main goals of hypervisors is to create a barrier between the guest OS running inside the VM and the host OS that the hypervisor runs. It prevents one user’s data and OS from being accessed by others sharing the same physical server. However, the success of VM escape meant that hackers were able to break out a VM and interact with and execute code on the host OS. 360 Security completed the VM escape by exploiting a heap overflow bug in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation. The code demonstration took only 90 seconds. On the other hand, Tencent Security completed the guest-to-host by using a three-bug chain involving a Windows kernel UAF, a Workstation infoleak, and an uninitialized buffer in VMware Workstation. Finally, the 360 Security team won the most number of points and were crowned Master of Pwn for this year, and Tecent Security was the second. All the exploits found in this contest had to be shared with the contest’s organizer and the vendors, and these exploits will be kept confidential until vulnerabilities have been patched.

Link: https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/