Two teams of researchers managed to win the biggest bounties at this year’s Pwn2Own hacking contest by escaping from the VMware Workstation virtual machine and executing code on the host operating system.
Virtual machines are in used in many scenarios to create throw-away environments that pose no threat to the main operating system in case of compromise. For example, many malware researchers execute malicious code or visit compromise websites inside virtual machines to observe their behavior and contain their impact.
One of the main goals of hypervisors like VMware Workstation is to create a barrier between the guest operating system that runs inside the virtual machine and the host OS where the hypervisor runs. That’s why VM escape exploits are highly prized, more so than browser or OS exploits.
This year, the organizers of Pwn2Own, an annual hacking contest that runs during the CanSecWest conference in Vancouver, Canada, offered a prize of US$100,000 for breaking the isolation layer enforced by the VMware Workstation or Microsoft Hyper-V hypervisors.
Friday, on the third and final day of the contest, two teams stepped up to the challenge; both of them from China.
Team Sniper, made up of researchers from the Keen Lab and PC Manager divisions of internet services provider Tencent, chained together three vulnerabilities to escape from the guest OS running inside VMware Workstation to the host OS.
The other team, from the security arm of Qihoo 360, achieved an even more impressive attack chain that started with a compromise of Microsoft Edge, moved to the Windows kernel, and then escaped from the VMware Workstation virtual machine. They were awarded $105,000 for their feat.
The exploit scenarios were difficult to begin with, because attackers had to start from a non-privileged account on the guest OS, and the VMware Tools, a collection of drivers and utilities that enhance the virtual machine’s functionality, were not installed. VMware Tools would have probably provided more attack surface had they been present.
Also on the third day, researcher Richard Zhu successfully hacked Microsoft Edge, complete with a system-level privilege escalation that earned him $55,000. It was fifth Microsoft Edge exploit demonstrated during the competition.
Apple’s Safari fell four times, Mozilla Firefox once, but Google Chrome remained unscathed. Researchers also demonstrated two exploits for Adobe Reader and two for Flash Player, both with sandbox escapes. The contest also included many privilege escalation exploits on Windows and macOS.
The Qihoo 360 team won the most number of points and were crowned Master of Pwn for this year’s edition. It was followed by Tencent’s Team Sniper and a team from the security research lab of China-based Chaitin Technology.
The researchers have to share their exploits with security vendor Trend Micro, the contest’s organizer, which then reports them to the affected software vendors.