Hacked in 18 seconds: PwnFest exploited Microsoft Edge to execute malicious code

Kevin Parrish
Digital Trends
Hacked in 18 seconds: PwnFest exploited Microsoft Edge to execute malicious code
A recent hacking event saw several teams remotely executing malicious code through vulnerabilities in Microsoft Edge, one of which was accomplished in a mere 18 seconds. Information about these vulnerabilities will be supplied to Microsoft first.

On Thursday during the PwnFest 2016 event within Seoul’s Power of Community security conference, a team from vulnerability firm Qihoo 360 and South Korean security researcher JungHoon “Lokihardt” Lee demonstrated two different hacks that took advantage of vulnerabilities within Microsoft Edge, completing one in a mere 18 seconds. The internet browser was running on a 64-bit version of Windows 10 Anniversary Edition (aka Redstone 1), and enabled these teams to remotely execute code at the system level.

PwnFest is a “festival” that encourages hackers and security firms to target specific platforms as a means of demonstrating how vulnerabilities they find can be used in the wild. Participants receive a cash prize while platform developers receive information about vulnerabilities and how they are exploited. In the end, participants and general consumers are the two big winners stemming from the event.

That said, here are the targets and their cash rewards:

Platform/OS/Device Base Reward Extra Reward
Microsoft Edge
Windows 10 x64 Redstone 1
$120,000 $20,000
Android 7.0
Nexus 6p and Pixel
$120,000 $20,000
Microsoft Hyper-V
Windows Server 2016
$150,000 none
Google Chrome
Windows 10 x64 Redstone 1
$120,000 $20,000
Apple iOS 10
iPhone 7 Plus
$120,000 $60,000
Apple Safari
MacOS Sierra
$80,000 $20,000
Adobe Flash Player
Microsoft Edge
Windows 10 x64 Redstone 1
$100,000 $20,000
VMWare Workstation Pro 1.2
Windows 10 x64 Redstone 1
$150,000 none

As for the participating teams, there appear to be six. Here they are with their targets:

360Vulcan
360Alpha
360Marvel
Lokihardt Team Pangu
JH
Microsoft Edge Microsoft Edge Apple Safari
VMware Workstation 12.5.1 VMware Workstation 12.5.1
Adobe Flash Player
Android 7.0 (via Pixel)

On the Microsoft Edge front, vulnerabilities discovered in the Windows 10 browser enabled system-level remote code execution. To better understand system-level access, you have to look at how device operating systems are layered in a security sense. At the top layer, consumers will see the applications they normally use. Under that are device drivers with low privileges followed by device drivers with high privileges further underneath. The final, bottom layer consists of the operating system’s central core, aka the kernel, that controls everything. Running a malicious program below the “user” layer grants a hacker special privileges that can go undetected by the device owner.

More: One of the ‘Celebgate’ hackers has just been sent to prison for 18 months

According to The Register, Lokihardt managed to successfully exploit Microsoft Edge’s security hole(s) in a mere 18 seconds, whereas the length of time it took Qihoo 360’s team to hack Microsoft Edge was not provided. In fact, the Qihoo 360 team reportedly worked on developing its trio of attacks for a period of six months prior to this week’s event.

However, despite all that preparation, the Qihoo 360 team was forced to rework their Edge browser attack within a span of 30 hours. That’s because Microsoft plugged three of the four available vulnerabilities in a Patch Tuesday update released prior to this week’s hacking event.

The details surrounding vulnerabilities exploited during PwnFest won’t be released to the public right away, but rather provided directly to the vendors so they can issue an immediate fix. The hacking event is still ongoing as of this publication, so there’s a good chance we could hear more about successful exploits during the main two-day security conference.