On the third day of the Pwn2Own hacking contest in Vancouver on Friday, a Windows guest on a VMware Workstation host was escaped from twice.
A team from Chinese security firm Qihoo 360 began with exploiting Microsoft’s Edge browser and chained together two more vulnerabilities to escape from the VMware virtual machine, and picked up $105,000.
“In a first for the Pwn2Own competition, they absolutely succeeded by leveraging a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape,” the backers of the contest, Zero Day Initiative (ZDI) said in a blog post.
The second VMware Workstation escape was performed by Tencent Security, who picked up $100,000 for chaining together a Windows kernel use-after-free bug with a “Workstation infoleak and an uninitialized buffer in Workstation to go guest-to-host”, ZDI said.
Overall, the two teams able to escape from the virtual machines were one and two respectively in the competition standings.
In the earlier days of the contest, use-after-free vulnerabilities were the vector of choice and used to compromise Flash, Windows kernel, Microsoft Edge, macOS kernel, and Safari.
The team from Chaitin Security Research Lab demonstrated using a Linux kernel heap out-of-bounds bug to compromise Ubuntu, and chained a half-dozen exploits together to gain root on macOS.
“They broke through Apple Safari to gain root access on macOS by using a total of six bugs in their exploit chain including an info disclosure in Safari, four different type confusion bugs in the browser, and a UAF in WindowServer,” ZDI said last week.
ZDI is now part of Trend Micro following its approximately $300 million purchase of TippingPoint from HP in 2015.
In October, Microsoft said it was aware of four zero-day vulnerabilities within its Edge, Office, and Internet Explorer products that were being exploited in the wild.
Edge will disable Flash content upon the release of the Windows 10 Creators Update, expected to drop next month. Edge is the last major browser to adopt Flash-blocking functionality.