Mozilla Firefox and Microsoft Edge were both hacked in the second day of the Pwn2Own hacking contest, and in the case of the Windows 10 browser, researchers came up with a super-complex and clever approach to escape a virtual machine and get inside the host.
Amat Cama and Richard Zhu of Fluoroacetate were the first to attempt to break into Mozilla Firefox using a JIT Bug and an out-of-bounds write in the Windows kernel.
This technique allowed to run code at system level, technically taking over the machine completely after pointing Firefox to a crafted website. The two were received a price of $50,000.
Mozilla’s browser was also hacked by Niklas Baumstark, who escaped the sandbox with a mix of a JIT bug and a logic bug. The researcher eventually obtained the same rights as the logged-in user, which could obviously provide full control of the host in the case of an administrator account. Baumstark received $40,000 for his exploit.
Microsoft Edge exploits
Fluoroacetate also hacked Microsoft Edge with a more complex attack that earned them $130,000.
“Starting from within a VMWare Workstation client, they opened Microsoft Edge and browsed to their specially crafted web page,” Zero Day Initiative explains.
“That’s all it took to go from a browser in a virtual machine client to executing code on the underlying hypervisor. They started with a type confusion bug in the Microsoft Edge browser, then used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation.”
Arthur Gerkis of Exodus Intelligence also managed to exploit Microsoft Edge with a double free bug in the renderer mixed with a logic bug to escape the sandbox. His successful attack against the Windows 10 browser brought him $50,000.
The vulnerabilities that the researchers used to break into the two browsers have been reported to Mozilla and Microsoft and they should be patched in the coming updates.