Beim diesjährigen Hacker-Wettbewerb Pwn20wn Mobile in Tokyo, Japan haben die Teilnehmer - 3 Teams - an zwei Tagen (13.+14. November) 18 Zero-Day-Sicherheitslücken entdeckt und ausgenutzt. Sowohl Galaxy S9 als auch iPhone X und Xiaomi Mi6 wurden erfolgreich angegriffen. Insgesamt standen elf verschiedene Smartphones zur Verfügung. Die Zero Day Initiative hat als Belohnung ein Preisgeld in Höhe von 325.000 US-Dollar ausgezahlt.
Das Samsung Galaxy S9 wurde sowohl vom Team Fluoroacetate Dank einer Baseband-Lücke und durch ausgelöstem Speicherfehler ausgeführtem Schadcode als auch durch MWR Labs von F-Secure durch die Kombination von drei Lücken via Wi-Fi eingespielten bösartigen App angegriffen.
Beim iPhone X gelang einer von drei Angriffen. Das Team Fluoroacetate konnte über einen JIT-Fehler im Browser einen Speicherfehler provozieren, aus der Sandbox ausbrechen und dadurch Schadcode ausführen.
Beim Xiaomi Mi6 gelangen insgesamt fünf Angriffe. MWR Labs kombinierte beispielsweise fünf Bugs, um via JavaScript eine App auf dem Smartphone zu installieren.
Der Gewiner des diesjährigen Wettbewerbs ist das Team Fluoroacetate, die neben dem Preisgeld die obligatorischen Pwn20wn-Jacken abstauben konnten.
Die genauen Challenges [1][2]:
Day One
0930 - Fluoroacetate (@fluoroacetate) - Amat Cama and Richard Zhu targeting the Xiaomi Mi6 in the short distance (NFC) category
Success: - The Fluoroacetate team used an Out-Of-Bounds write in WebAssembly to get code execution via NFC. They earn themselves $30,000 USD and 6 Master of Pwn points.
1100 - MWR Labs (@mwrlabs) - Georgi Geshev, Fabi Beterke, Rob Miller targeting the Xiaomi Mi6 in the short distance (Wi-Fi) category
Success: - The MWR Labs team got code execution on the Xiaomi handset by using a chain of five different bugs - including the silent installation of app via JavaScript - to earn themselves $30,000 USD and 6 Master of Pwn points.
1230 - Fluoroacetate (@fluoroacetate) - Amat Cama and Richard Zhu targeting the Samsung Galaxy S9 in the baseband category
Success: - The Fluoroacatate duo successfully achieved code execution by using a heap overflow in the baseband component. The exploit earns them another $50,000 USD and 15 more Master of Pwn points.
1400 - Fluoroacetate (@fluoroacetate) - Amat Cama and Richard Zhu targeting the iPhone X in the short distance (Wi-Fi) category
Success: - The dynamic Fluoroacetate duo used a JIT bug followed by an Out-Of-Bounds write to get code execution on the iPhone X. They earned themselves an additional $60,000 USD and 10 more Master of Pwn points.
1530 - MWR Labs (@mwrlabs) -Georgi Geshev, Fabi Beterke, Rob Miller targeting the Samsung Galaxy S9 in the short distance (Wi-Fi) category
Success: - The team combined three bugs to load their application on Samsung Galaxy S9. The exploit chain earns them another $30,000 and 6 more Master of Pwn points.
1700 – Michael Contreras targeting the Xiaomi Mi6 in the browser category
Success: - Michael used a JavaScript type confusion bug to get code execution on the Xiaomi Mi6. He earned himself $25,000 and 6 Master of Pwn points.
Day Two
1000 – Fluoroacetate (Amat Cama and Richard Zhu) targeting the iPhone X in the browser category.
Success: - The Fluoroacetate team used a bug in JIT with an Out-Of-Bounds Access to exfiltrate data from the iPhone. In doing so, they earn themselves $50,000 and 8 Master of Pwn points.
1130 – MWR Labs (Georgi Geshev, Fabi Beterke, and Rob Miller) targeting the iPhone X in the browser category.
Failure: - The team could not get their exploit chain to work within the alloted time.
1300 – Fluoroacetate (Amat Cama and Richard Zhu) targeting the Xiaomi Mi6 in the browser category.
Success: - The Fluoroacetate duo used a used an integer overflow in the JavaScript engine of the Xiaomi web browser to exfiltrate a picture from the phone. They earn $25,000 USD and 6 Master of Pwn points.
1430 – Fluoroacetate (Amat Cama and Richard Zhu) targeting the iPhone X in the baseband category.
Failure: - The team could not get their exploit to work within the time alloted.
1600 – MWR Labs (Georgi Geshev, Fabi Beterke, and Rob Miller) targeting the Xiaomi Mi6 in the browser category.
Success: - The MWR Labs team used a download bug along with a silent app installation to load their custom app and exfiltrate pictures. They earned another $25,000 USD and 6 more Master of Pwn points.
[1] https://www.zerodayinitiative.com/blog/2018/11/12/welcome-to-pwn2own-tokyo-2018-day-one
[2] https://www.zerodayinitiative.com/blog/2018/11/13/pwn2own-tokyo-2018-day-two-schedule-and-updates