Hackers used Edge to bypass VMware Workstation during Pwn2Own 2017

Edward Hudson By: Edward Hudson
2 minute read

Home » Hackers used Edge to bypass VMware Workstation during Pwn2Own 2017

This year’s Pwn2Own contest wrapped up after three days of hacking browsers and operating systems. At the end, Microsoft’s Edge browser emerged as the loser after having failed to ward off attacks during the event.

A team from Chinese security firm Qihoo 360 exploited Edge and linked two security flaws together to escape from a VMware Workstation host. The team received $105,000 as a reward for discovering the vulnerabilities. Zero Day Initiative, which sponsored the contest, said in a blog post:

Our day started with the folks from 360 Security (@mj0011sec) attempting a full virtual machine escape through Microsoft Edge. In a first for the Pwn2Own competition, they absolutely succeeded by leveraging a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. These three bugs earned them $105,000 and 27 Master of Pwn points. They won’t say exactly how long the research took them, but the code demonstration needed only 90 seconds.

Next up was Richard Zhu (fluorescence) targeting Microsoft Edge with a SYSTEM-level escalation. Although his first try failed, his second attempt leveraged two separate use-after-free (UAF) bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel. This garnered him $55,000 and 14 points towards Master of Pwn.

Tencent Security also got $100,000 for the second VMware Workstation escape. ZDI explained:

The final event for both the day and the contest had Tencent Security – Team Sniper (Keen Lab and PC Mgr) targeting VMWare Workstation (Guest-to-Host), and the event certainly did not end with a whimper. They used a three-bug chain to win the Virtual Machine Escapes (Guest-to-Host) category with a VMWare Workstation exploit. This involved a Windows kernel UAF, a Workstation infoleak, and an uninitialized buffer in Workstation to go guest-to-host. This category ratcheted up the difficulty even further because VMware Tools were not installed in the guest.

Although the Pwn2Own contest lacks a fair method of attacking every browser in equal measure, Microsoft obviously still has a long way to go to improve the security of Edge.

RELATED STORIES YOU NEED TO CHECK OUT:

Discussions

Next up

How to fix Malwarebytes memory issues

Milan Stanojevic avatar. By: Milan Stanojevic
6 minute read

Malwarebytes is a great antimalware tool, however, many users reported Malwarebytes memory issues. It seems that this application is using more memory than it should, […]

Continue Reading

How to fix Windows cannot install required files error on Windows 10

Milan Stanojevic avatar. By: Milan Stanojevic
6 minute read

Installing Windows can be a tedious process, and sometimes errors such as Windows cannot install required files can appear and interrupt your installation. This is […]

Continue Reading

5 Christmas gifts for vloggers in 2018 not to be missed

Madhuparna Sukul avatar. By: Madhuparna Sukul
Less than a 1 minute read

Those having a vlogger at home would know how passionate they are about their activity. Finding some of the best Christmas gifts for vloggers will […]

Continue Reading