Safari Exploit Enables Hacker to Take Control of Touch Bar – Microsoft Edge Also Exploited at Pwn2Own 2018
As reported yesterday, the Pwn2Own 2018 contest has started, which means we are going to see a number of bugs and exploits. Yesterday's event had a specific focus on browser bugs. While the first Apple Safari bug may have turned into a failure, another researcher managed to exploit Apple's browser in a second attempt. "The final attempt on Day One saw Samuel Groß (5aelo) of phoenhex targeting Apple Safari with a macOS kernel EoP," the event page reported. "Last year, his exploit involved a touchbar component, and this year proved to be no different."
The researcher used a combination of a JIT optimization bug, a kernel overwrite, and a macOS logic bug to successfully exploit Safari, earning $65,000 in rewards.
He used a combination of a JIT optimization bug in the browser, a macOS logic bug to escape the sandbox, and finally a kernel overwrite to execute code with a kernel extension to successfully exploit Apple Safari. This chain earned him $65,000 and 6 points towards Master of Pwn. Similar to last year, he left a message for us on the touchbar once he was complete.
Earlier in the day, a separate Safari exploit was attempted by Richard Zhu, who had also successfully managed to bypass iPhone 7 security at the Mobile Pwn2Own event in November last year. However, yesterday at Pwn2Own 2018, Zhu was unable to prove his exploit in the allotted 30 minute time limit.
Zhu had a second attempt, in which he targeted Microsoft Edge with a Windows kernel EoP. During that attempt, he started debugging his exploit right in front of the crowd when it didn't work. He succeeded in a third attempt with only one minute and 37 seconds left in the allotted time, using two use-after-free (UAF) bugs in the browser and an integer overflow in the kernel to successfully run his code with elevated privileges. He made $70,000 in rewards.
In the day two of the event, Mozilla Firefox and Apple Safari are in the target list of security researchers. As we had noted yesterday, several researchers had to withdraw from the event after Patch Tuesday earlier this week that brought fixes to a number of security issues, over 75 to Microsoft's products.