Hackers used Edge to bypass VMware Workstation during Pwn2Own 2017

Edward Hudson By: Edward Hudson
2 minute read

Home » News » Hackers used Edge to bypass VMware Workstation during Pwn2Own 2017

This year’s Pwn2Own contest wrapped up after three days of hacking browsers and operating systems. At the end, Microsoft’s Edge browser emerged as the loser after having failed to ward off attacks during the event.

A team from Chinese security firm Qihoo 360 exploited Edge and linked two security flaws together to escape from a VMware Workstation host. The team received $105,000 as a reward for discovering the vulnerabilities. Zero Day Initiative, which sponsored the contest, said in a blog post:

Our day started with the folks from 360 Security (@mj0011sec) attempting a full virtual machine escape through Microsoft Edge. In a first for the Pwn2Own competition, they absolutely succeeded by leveraging a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. These three bugs earned them $105,000 and 27 Master of Pwn points. They won’t say exactly how long the research took them, but the code demonstration needed only 90 seconds.

Next up was Richard Zhu (fluorescence) targeting Microsoft Edge with a SYSTEM-level escalation. Although his first try failed, his second attempt leveraged two separate use-after-free (UAF) bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel. This garnered him $55,000 and 14 points towards Master of Pwn.

Tencent Security also got $100,000 for the second VMware Workstation escape. ZDI explained:

The final event for both the day and the contest had Tencent Security – Team Sniper (Keen Lab and PC Mgr) targeting VMWare Workstation (Guest-to-Host), and the event certainly did not end with a whimper. They used a three-bug chain to win the Virtual Machine Escapes (Guest-to-Host) category with a VMWare Workstation exploit. This involved a Windows kernel UAF, a Workstation infoleak, and an uninitialized buffer in Workstation to go guest-to-host. This category ratcheted up the difficulty even further because VMware Tools were not installed in the guest.

Although the Pwn2Own contest lacks a fair method of attacking every browser in equal measure, Microsoft obviously still has a long way to go to improve the security of Edge.



Next up

We answer: Where’s the Windows 10 Startup folder?

Matthew Adams By: Matthew Adams
3 minute read

Windows 10’s Task Manager utility includes a Startup tab. That is Windows 10’s default startup manager with which users can disable startup software. However, Task […]

Continue Reading

What to do if Windows was unable to format your pen drive

Aleksandar Ognjanovic By: Aleksandar Ognjanovic
4 minute read

USB flash drives (pen drives, flash sticks) almost completely moved disks out of the picture. They are fast, you can write anything you want whenever […]

Continue Reading

FIX: Oops there was a problem with dictation in Microsoft Office

Aleksandar Ognjanovic By: Aleksandar Ognjanovic
3 minute read

Using speech instead of typing has more than one advantage. Lots of users strongly prefer dictation and, even though it’s still unbrushed feature, it’s getting […]

Continue Reading