Virtual machine escape combining 3 different exploits fetches $105,000 at Pwn2Own hacking contest - Sensationalist Headlines

[QUOTE]Contestants at this year's Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: They compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days. According to a [URL="https://twitter.com/thezdi/status/842788469923442689"]Friday morning tweet [/URL]from the contest's organizers, members of Qihoo 360's security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel, and an uninitialized buffer vulnerability in VMware, contest organizers. The result was a "[URL="https://twitter.com/thezdi/status/842791088339345415"]complete virtual machine escape[/URL]." Virtual machines are vital to the security of individuals and large organizations everywhere. In server hosting environments, they're used as a container that prevents one customer's data and operating system from being accessed by other customers sharing the same physical server. Virtual machines are also used on desktop computers to isolate untrusted content. Should the guest operating system be compromised through a drive-by browsing exploit or similar attack, the hackers still don't get access to data or operating system resources on the host machine. Any hack that can break out of a widely used virtual machine is generally considered significant. The one described Friday is made all the more impressive because it works by exploiting Edge, which is regarded among security professionals as one of most challenging browsers to exploit. Typically, such remote-code exploits require two or more vulnerabilities be exploited in unison. The requirement appears to be why the Qihoo team combined the heap overflow exploit with the Windows kernel hack. The description sets up a scenario in which malicious websites can not only compromise a visitor's virtual machine, but also the much more valuable host machine the VM runs on. At last year's Pwn2Own, contestants didn't attempt to target VMWare, an indication reliable exploits were probably worth more than the $75,000 prize that was offered at the time. Friday's success underscores the central theme of Pwn2Own, that no operating system or application is immune to hacks that thoroughly compromise its security.[/QUOTE] [QUOTE]"We used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used a Windows 10 kernel bug to escape from it and fully compromise the guest machine," Qihoo 360 Executive Director Zheng Zheng wrote in an e-mail. "Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one. All started from and only by a controlled a website."[/QUOTE] [url]https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/[/url]

fuck

Now that certainly is interesting

[B]These are the Final Nights.[/B]

Cool and terrifying at the same time

I'm more amazed at the fact that they found THREE exploits in Edge, Windows kernel, and VMware, and they're able to stitch then together to pull off something this massive

[QUOTE=B!N4RY;51975137]I'm more amazed at the fact that they found THREE exploits in Edge, Windows kernel, and VMware, and they're able to stitch then together to pull off something this massive[/QUOTE] No software is hack-proof, only hack-resistant. Humans make too many mistakes in programming to be able to see every single hole to be covered -- it's like weaving a basket out of straw, except the basket is 50 meters in diameter.

Out of the 3 exploits the only one that is really damning is the VMware exploit, its big. If the Windows type confusion flaw is the one I'm thinking of its been around for a while, MS keeps refusing to fix it or more rather, can't.

So wait, they pulled off an exploit within a VM that allowed them to both exploit the VM itself but also the guest OS? Damn.

Well so much for sandboxing safely now.

the CIA is impressed. CIA will now absorb this information. Thank you.

[url]https://facepunch.com/showthread.php?t=1540016[/url] [img]https://s17.postimg.org/8x6r03izz/edge_irony.jpg[/img]

All the more reason to not use Javascript on untrusted websites.

These Qihoo guys, btw, are also the creators of 360 Total Security antivirus, which is free, and in my experience, better than ESET.

[QUOTE=CruelAddict;51977960]These Qihoo guys, btw, are also the creators of 360 Total Security antivirus, which is free, and in my experience, better than ESET.[/QUOTE] I'm willing to check it out. Didn't know they own the number 1 browser and anti virus in China. It also makes me feel sorta uneasy tho. Are they good guys or tools of their government?

[QUOTE=WaLLy3K;51977231]All the more reason to not use Javascript on untrusted websites.[/QUOTE] Let me tell you a story of a time before javascript when there were things more malicious than your simple marketing malware, in short they comprised your computer without the need of fancy plugins to run aspects of the web with less tools than the current HTML version. What's truly interesting is most if not all those exploits still function like the dreaded browser crasher.

[QUOTE=Helix Snake;51975077]fuck[/QUOTE] [QUOTE=Obama Yo Momma;51975350]Well so much for sandboxing safely now.[/QUOTE] Sandboxing has always never been 100% full proof just as software has never been 100% unbreakable. No point in worrying about it now, as long as you know what you're doing you will be fine.

[QUOTE=cyanidem;51978200]I'm willing to check it out. Didn't know they own the number 1 browser and anti virus in China. It also makes me feel sorta uneasy tho. Are they good guys or tools of their government?[/QUOTE] Can't really say, what I can say is that the antivirus is so far very reliable and lightweight. If you really think of them as spies or government tools, then try out Avira, it's also free afaik

[QUOTE=Sims_doc;51978343]Let me tell you a story of a time before javascript when there were things more malicious than your simple marketing malware, in short they comprised your computer without the need of fancy plugins to run aspects of the web with less tools than the current HTML version. What's truly interesting is most if not all those exploits still function like the dreaded browser crasher.[/QUOTE] There was basically 0 security then, though, it wasn't really hacking, more like walking in an open door.

[QUOTE=cyanidem;51978200]I'm willing to check it out. Didn't know they own the number 1 browser and anti virus in China. It also makes me feel sorta uneasy tho. Are they good guys or tools of their government?[/QUOTE] I've been using 360 total security for a few years. It's a heuristic-based system, so you have to deal with some false positives every now and then. But I haven't had a genuine malware infection for the time I've used it. The program also stays out of the way when not needed and is light on resources.

[QUOTE=UnknownDude;51986990]I've been using 360 total security for a few years. It's a heuristic-based system, so you have to deal with some false positives every now and then. But I haven't had a genuine malware infection for the time I've used it. The program also stays out of the way when not needed and is light on resources.[/QUOTE] So it's good then? I've been using avast! which has been excellent up until recently, when it transformed from "shareware" into "nagware".

[QUOTE=Zero-Point;51987711]So it's good then? I've been using avast! which has been excellent up until recently, when it transformed from "shareware" into "nagware".[/QUOTE] Turn game mode on. That's how I deal with all the nagging shit with avast

[QUOTE=TheJoker;51988760]Turn game mode on. That's how I deal with all the nagging shit with avast[/QUOTE] Game-mode [I]was[/I] on. Still kept doing it, and there's an option to stop promotional pop-ups on it, but it's grayed out unless you purchase the full license. :/ Though they must have fixed that in a recent update as I haven't gotten anymore nagging pop-ups since I last updated.