The winning submissions to Pwn2Own 2016 provided unprecedented insight into the state of the art in software exploitation. Every successful submission provided remote code execution as the super user (SYSTEM/root) via the browser or a default browser plugin. In most cases, these privileges were attained by exploiting the Microsoft Windows or Apple OS X kernel. Kernel exploitation using the browser as an initial vector was a rare sight in previous contests.
This presentation will detail the eight winning browser to super user exploitation chains (21 total vulnerabilities) demonstrated at this year's Pwn2Own contest. We will cover topics such as modern browser exploitation, the complexity of kernel Use-After-Free exploitation, and the simplicity of exploiting logic errors and directory traversals in the kernel. We will analyze all attack vectors, root causes, exploitation techniques, and possible remediations for the vulnerabilities presented.
Reducing attack surfaces with application sandboxing is a step in the right direction, but the attack surface remains expansive and sandboxes are clearly still just a speed bump on the road to complete compromise. Kernel exploitation is clearly a problem which has not disappeared and is possibly on the rise. If you're like us, you can't get enough of it; it's shell on earth.
Matt Molinyawe is a vulnerability analyst and exploit developer for the ZeroDay Initiative (ZDI) program. In this role, Molinyawe analyzes and performsroot-cause analysis on hundreds of vulnerabilities submitted to the Zero DayInitiative (ZDI) program, which represents the world's largest vendor-agnosticbug bounty program. His focus includes vulnerability research along withanalyzing and performing root-cause analysis on hundreds of zero-dayvulnerabilities submitted by ZDI researchers from around the world. He haspresented at numerous security conferences including DEF CON, RuxCon, Power ofCommunity, and PacSec. Prior to joining ZDI, Matt worked as a reverse engineerfor General Dynamics Advanced Information Systems and a software engineer forboth USAA and L3 Communications. In 2014, Matt was part of the ZDI team thatexploited Internet Explorer 11 on Windows 8.1 x64 during the Pwn4Fun event atCanSecWest, which helped raise over $80K for charity. In his spare time, hewas also a 2005 and 2007 US Finalist as a Scratch DJ. Matt has a B.S. inComputer Science from the University of Texas at Austin. Twitter: @djmanilaice
Jasiel Spelman is a vulnerability analyst and exploit developer for the ZeroDay Initiative (ZDI) program. His primary role involves performing root causeanalysis on ZDI submissions to determine exploitability, followed bydeveloping exploits for accepted cases. Prior to being part of ZDI, Jasiel wasa member of the Digital Vaccine team where he wrote exploits for ZDIsubmissions, and helped develop the ReputationDV service from TippingPoint.Jasiel's focus started off in the networking world but then shifted todevelopment until transitioning to security. He has a BA in Computer Sciencefrom the University of Texas at Austin. Twitter: @WanderingGlitch
Abdul-Aziz Hariri is a security researcher with the Zero Day Initiativeprogram. In this role, Hariri analyzes and performs root-cause analysis onhundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI)program, which is the world's largest vendor-agnostic bug bounty program. Hisfocus includes performing root-cause analysis, fuzzing and exploitdevelopment. Prior to joining ZDI, Hariri worked as an independent securityresearcher and threat analyst for Morgan Stanley emergency response team.During his time as an independent researcher, he was profiled by Wiredmagazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015,Abdul was part of the research team that submitted "Breaking SilentMitigations - Gaining code execution on Isolated Heap and MemoryProtectionhardened Internet Explorer" to the Microsoft bounty program. Their submissionnetted the highest payout to date from the Microsoft bounty program where theproceeds went to many STEM organizations. Twitter: @abdhariri
Kernelsmith is a senior vulnerability researcher with Trend Micro's Zero DayInitiative. In this role, he analyzes and performs root-cause analysis onhundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI)program, which represents the world's largest vendor-agnostic bug bountyprogram. Josh also focuses on automation of vulnerability discovery andanalysis as well as internal operations. He was a developer for the MetasploitFramework and has spoken at a few conferences and holds a few certifications.Prior to joining the Zero Day Initiative, Smith served in the U.S. Air Forcein various roles but most relevantly as a penetration tester for the 92dInformation Warfare Aggressor Squadron. Post-military, he became a securityengineer at the Johns Hopkins University Applied Physics Lab. Smith performedresearch into weapons systems vulnerabilities as well as evasion andobfuscation techniques to add depth and realism to security device tests. Hereceived a B.S. in Aeronautical Engineering from Rensselaer PolytechnicInstitute and an M.A. in Management of Information Systems from the Universityof Great Falls. Twitter: @kernelsmith