$hell on Earth
shell-on-earth
shell-on-earth
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The winning submissi<strong>on</strong>s to Pwn2Own 2016 provided unprecedented insight into the<br />
state-of-the-art techniques in software exploitati<strong>on</strong>. Every successful submissi<strong>on</strong><br />
provided remote code executi<strong>on</strong> as the super user (SYSTEM/root) via the browser or<br />
a default browser plug-in. In most cases, these privileges were attained through the<br />
exploitati<strong>on</strong> of the Microsoft Windows® or Apple OS X® kernel. Kernel exploitati<strong>on</strong>,<br />
using the browser as an initial vector, was a rare sight in previous c<strong>on</strong>tests.<br />
This white paper will detail the eight winning browser-to-super-user exploitati<strong>on</strong> chains<br />
dem<strong>on</strong>strated at this year’s c<strong>on</strong>test. Topics such as modern browser exploitati<strong>on</strong>,<br />
the complexity of kernel use-after-free vulnerability exploitati<strong>on</strong>, the simplicity of<br />
exploiting logic errors, and directory traversals in the kernel are also covered. This<br />
paper analyzes all attack vectors, root causes, exploitati<strong>on</strong> techniques, and remediati<strong>on</strong><br />
for vulnerabilities.<br />
Reducing attack surfaces with applicati<strong>on</strong> sandboxing is a step in the right directi<strong>on</strong>.<br />
However, the attack surface remains expansive and sandboxes <strong>on</strong>ly serve as minor<br />
obstacles <strong>on</strong> the way to complete compromise. Kernel exploitati<strong>on</strong> is clearly a problem,<br />
which has not disappeared and is possibly <strong>on</strong> the rise. If you’re like us, you can’t get<br />
enough of it—it’s shell <strong>on</strong> earth.