Hackers used Edge to bypass VMware Workstation during Pwn2Own 2017

by Radu Tyrsina
Radu Tyrsina
Radu Tyrsina
CEO & Founder
Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time). For most of the kids of... read more
Affiliate Disclosure

This year’s Pwn2Own contest wrapped up after three days of hacking browsers and operating systems. At the end, Microsoft’s Edge browser emerged as the loser after having failed to ward off attacks during the event.

A team from Chinese security firm Qihoo 360 exploited Edge and linked two security flaws together to escape from a VMware Workstation host. The team received $105,000 as a reward for discovering the vulnerabilities. Zero Day Initiative, which sponsored the contest, said in a blog post:

Our day started with the folks from 360 Security (@mj0011sec) attempting a full virtual machine escape through Microsoft Edge. In a first for the Pwn2Own competition, they absolutely succeeded by leveraging a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. These three bugs earned them $105,000 and 27 Master of Pwn points. They won’t say exactly how long the research took them, but the code demonstration needed only 90 seconds.

Next up was Richard Zhu (fluorescence) targeting Microsoft Edge with a SYSTEM-level escalation. Although his first try failed, his second attempt leveraged two separate use-after-free (UAF) bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel. This garnered him $55,000 and 14 points towards Master of Pwn.

Tencent Security also got $100,000 for the second VMware Workstation escape. ZDI explained:

The final event for both the day and the contest had Tencent Security – Team Sniper (Keen Lab and PC Mgr) targeting VMWare Workstation (Guest-to-Host), and the event certainly did not end with a whimper. They used a three-bug chain to win the Virtual Machine Escapes (Guest-to-Host) category with a VMWare Workstation exploit. This involved a Windows kernel UAF, a Workstation infoleak, and an uninitialized buffer in Workstation to go guest-to-host. This category ratcheted up the difficulty even further because VMware Tools were not installed in the guest.

Although the Pwn2Own contest lacks a fair method of attacking every browser in equal measure, Microsoft obviously still has a long way to go to improve the security of Edge.