Virtual machine escape fetches $105,000 at Pwn2Own hacking contest

Virtual machine escape fetches $105,000 at Pwn2Own hacking contest

March 20th, 2017
No Comments on Virtual machine escape fetches $105,000 at Pwn2Own hacking contest

Hack worked by stitching together three separate exploits.


														
							

Contestants at this year’s Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft’s heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.

Members of Qihoo 360’s security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware.

“We used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used a Windows 10 kernel bug to escape from it and fully compromise the guest machine,” Qihoo 360 Executive Director Zheng Zheng wrote in an e-mail. “Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one. All started from and only by a controlled a website.”

Friday’s success underscores the central theme of Pwn2Own, that no operating system or application is immune to hacks that thoroughly compromise its security.

[Source]

  • IBM, TCS, HCL, LTI & More Top IT Companies are Hiring
    Sign Up, Search & Apply for Latest Job Vacancies with Monster to Get Placed in Top IT Companies. Get The Right Job for Your Career, Log onto www.monsterindia.com
    Click to know more