Skip to main content

Hacked in 18 seconds: PwnFest exploited Microsoft Edge to execute malicious code

Google Pixel, Apple's Safari, and Adobe Flash all exploited at PwnFest 2016

Microsoft Edge
On Thursday during the PwnFest 2016 event within Seoul’s Power of Community security conference, a team from vulnerability firm Qihoo 360 and South Korean security researcher JungHoon “Lokihardt” Lee demonstrated two different hacks that took advantage of vulnerabilities within Microsoft Edge, completing one in a mere 18 seconds. The internet browser was running on a 64-bit version of Windows 10 Anniversary Edition (aka Redstone 1) and enabled these teams to remotely execute code at the system level.

PwnFest is a “festival” that encourages hackers and security firms to target specific platforms as a means of demonstrating how vulnerabilities they find can be used in the wild. Participants receive a cash prize while platform developers receive information about vulnerabilities and how they are exploited. In the end, participants and general consumers are the two big winners stemming from the event.

That said, here are the targets and their cash rewards:

Platform/OS/Device Base Reward Extra Reward
Microsoft Edge
Windows 10 x64 Redstone 1
$120,000 $20,000
Android 7.0
Nexus 6p and Pixel
$120,000 $20,000
Microsoft Hyper-V
Windows Server 2016
$150,000 none
Google Chrome
Windows 10 x64 Redstone 1
$120,000 $20,000
Apple iOS 10
iPhone 7 Plus
$120,000 $60,000
Apple Safari
MacOS Sierra
$80,000 $20,000
Adobe Flash Player
Microsoft Edge
Windows 10 x64 Redstone 1
$100,000 $20,000
VMWare Workstation Pro 1.2
Windows 10 x64 Redstone 1
$150,000 none

As for the participating teams, there appear to be six. Here they are with their targets:

Lokihardt Team Pangu
Microsoft Edge Microsoft Edge Apple Safari
VMware Workstation 12.5.1 VMware Workstation 12.5.1
Adobe Flash Player
Android 7.0 (via Pixel)

On the Microsoft Edge front, vulnerabilities discovered in the Windows 10 browser enabled system-level remote code execution. To better understand system-level access, you have to look at how device operating systems are layered in a security sense. At the top layer, consumers will see the applications they normally use. Under that are device drivers with low privileges followed by device drivers with high privileges further underneath. The final bottom layer consists of the operating system’s central core, aka the kernel, that controls everything. Running a malicious program below the “user” layer grants a hacker special privileges that can go undetected by the device owner.

According to The Register, Lokihardt managed to successfully exploit Microsoft Edge’s security hole(s) in 18 seconds, whereas the length of time it took Qihoo 360’s team to hack Microsoft Edge was not provided. In fact, the Qihoo 360 team reportedly worked on developing its trio of attacks for a period of six months prior to this week’s event.

However, despite all that preparation, the Qihoo 360 team was forced to rework their Edge browser attack within a span of 30 hours. That is because Microsoft plugged three of the four available vulnerabilities in a patch on Tuesday released prior to this week’s hacking event.

Microsoft’s Edge browser was not the only piece of software to be exploited. Qihoo 360, a security firm located in China, pocketed $520,000 in total for their efforts, including exploiting Flash in four seconds to win $120,000. It also used an undisclosed vulnerability to hack the Google Pixel to allow remote code execution, which won them another $120,000. The following video shows the Pixel exploit as it happened.

Google Pixel zero day exploit November 2016

Other exploits included the use of a root privilege escalation bug to win $80,000 for hacking Apple’s Safari browser. Edge was broken for prize money totaling $140,000. The prize money is sponsored by many of the same companies that publish software that is commonly the target of an attack and it is money well-spent — the companies can use the results of events like PwnFest to close security holes and avoid much more costly exploits down the road.

The details surrounding vulnerabilities exploited during PwnFest won’t be released to the public right away, but rather provided directly to the vendors so they can issue an immediate fix.

Updated on 11-14-2016 by Mark Coppock: Added information on further exploits achieved during PwnFest 2016.

Editors' Recommendations