Hackers used Edge to bypass VMware Workstation during Pwn2Own 2017

jayar.decenella@gmail.com' By: Jay Decenella
2 minute read

This year’s Pwn2Own contest wrapped up after three days of hacking browsers and operating systems. At the end, Microsoft’s Edge browser emerged as the loser after having failed to ward off attacks during the event.

A team from Chinese security firm Qihoo 360 exploited Edge and linked two security flaws together to escape from a VMware Workstation host. The team received $105,000 as a reward for discovering the vulnerabilities. Zero Day Initiative, which sponsored the contest, said in a blog post:

Our day started with the folks from 360 Security (@mj0011sec) attempting a full virtual machine escape through Microsoft Edge. In a first for the Pwn2Own competition, they absolutely succeeded by leveraging a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. These three bugs earned them $105,000 and 27 Master of Pwn points. They won’t say exactly how long the research took them, but the code demonstration needed only 90 seconds.

Next up was Richard Zhu (fluorescence) targeting Microsoft Edge with a SYSTEM-level escalation. Although his first try failed, his second attempt leveraged two separate use-after-free (UAF) bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel. This garnered him $55,000 and 14 points towards Master of Pwn.

Tencent Security also got $100,000 for the second VMware Workstation escape. ZDI explained:

The final event for both the day and the contest had Tencent Security – Team Sniper (Keen Lab and PC Mgr) targeting VMWare Workstation (Guest-to-Host), and the event certainly did not end with a whimper. They used a three-bug chain to win the Virtual Machine Escapes (Guest-to-Host) category with a VMWare Workstation exploit. This involved a Windows kernel UAF, a Workstation infoleak, and an uninitialized buffer in Workstation to go guest-to-host. This category ratcheted up the difficulty even further because VMware Tools were not installed in the guest.

Although the Pwn2Own contest lacks a fair method of attacking every browser in equal measure, Microsoft obviously still has a long way to go to improve the security of Edge.

RELATED STORIES YOU NEED TO CHECK OUT:

For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on TrustPilot.com.
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patended Technologies (requires upgrade).

Next up

Best Windows 10 antivirus software to use in 2018

By: Radu Tyrsina
7 minute read

Update – 2018 will soon come to an end and we already have a guide on what is the best antivirus you should get in […]

Continue Reading

These features are out for good with Windows 10 version 1809

iamsovy@gmail.com' By: Sovan Mandal
2 minute read

Microsoft is all set to launch its next big update, Windows 10 version 1809 in October. While that should be a nice piece of news […]

Continue Reading

Windows 10 18H2 builds no longer receive new features

By: Matthew Adams
3 minute read

The Windows 10 October 2018 Update (otherwise 18H2) rollout might now be two to three weeks away. For the last few months, new build previews […]

Continue Reading

Discussions