제로 데이 사파리 공격으로 Mac 완전 탈취 허용

ment 3/22 '19 posted editoy 27135 3/22 '19 edited 뉴스 IT

• 그들은 완전한 시스템 손상을 시연했으나, 애플이 이미 데모에서 사용된 버그 중 하나를 이미 알고 있었기 때문에 부분적인 승리에 불과했습니다.

• CanSecWest 컨퍼런스와 함께 캐나다 밴쿠버에서 열리는 Pwn2Own 2019는 Trend Micro의 Zero Day Initiative (ZDI)에서 주최합니다.

• 익스플로잇 체인에는 브라우저에서의 정수 오버 플로우와 힙 오버 플로우가 포함되어 샌드 박스를 벗어날 수 있었습니다.

• 또한 VMware Workstation 가상 시스템을 탈출하고 기본 호스트 운영 체제에서 코드를 실행하면 7 만 달러를 받았습니다.

• 마지막으로 phoenhex & qwerty 팀은 Apple Safari 익스플로잇를 통해 커널 상승을 사용하여 완벽한 시스템 손상으로 4 만 5 천 달러를 벌었습니다.

• 악의적인 웹 사이트를 방문하는 것을 포함한 이들의 익스플로잇은 JIT (Just-In-Time) 버그, 힙 OOB (Out of Bound) 읽기 및 TOCTOU (Time of Check-Time-of-Use) ) 버그로 루트에서 커널로 피벗됩니다.

…

participants hacked Apple, Oracle, VMware productsSecurity Affairs [securityaffairs.co]

The 19th annual CanSecWest security conference is underway in Vancouver, Canada, including the…

Two Zero-Day Vulnerabilities Discovered in Safari for Mac on Day One of Pwn2Own Hacking Contest [www.macrumors.com]

White-hat hackers at a security conference in Vancouver have found two zero-day Safari…

Zero-day Safari exploits allowed complete takeover of Mac [9to5mac.com]

…

Pwn2Own Vancouver 2019: Day One Results [www.thezdi.com]

…

eWeek.com Welcome Page [www.eweek.com]

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park,…

Hackers Take Down Safari, VMware and Oracle at Pwn2Own [threatpost.com]

Apple’s Safari web browser and the Oracle VirtualBox and VMware Workstation virtualization…

Apple, Oracle, VMware Software Hacked at Pwn2Own 2019 [www.securityweek.com]

Day in and day out, vendors do their best to keep their software…

Pwn2Own Researchers Reveal New Zero-Day Exploits [www.eweek.com]

newest replies popular replies

Open Wiki - Feel free to edit it. -

3/22 '19 answered

제로-데이 사파리 취약점 2개 발견돼. 하나, 맥을 완전 컨트롤하는 심각한 결함으로 맥 액세스를 위해 루트와 커널 둘 다 장악함. 다른 결함, 자체 데이터와 애플이 허락한 시스템 데이터에 액세스 하는 앱을 보호하는 샌드박스를 우회. Pawn.ZDI 첫날 해커들에 24만 불 지불. https://t.co/HfucLkoO73
— Wan Ki Choi (@wkchoi) March 21, 2019

Threatpost | Hackers Take Down Safari, VMware and Oracle at Pwn2Own https://t.co/VNRgBeDZOV
— Kimberly (@StopMalvertisin) March 21, 2019

Pwn2Own 2019 - Apple Safari, VirtualBox, VMware wrecked - Earned $240,000 by Submitting Zero-day'shttps://t.co/RaAhCPEF7L
— ?? ?? (@0x2AE) March 21, 2019

permanent link

Open Wiki - Feel free to edit it. -

3/22 '19 answered

トレンドマイクロのハッカーコンテスト的なイベントでmacOS版Safariで権限昇格が出来る2件のゼロデイ脆弱性が発見される。Appleはまだ修正していないので、脆弱性の詳細も非公開。 / “Zero-day Safari exploits allowed complete takeover of Mac - 9to5Mac” https://t.co/nO0wmXfYRJ
— ⓀⒾⒺⓉⒶ (@typex20) March 22, 2019

Researchers hacked Apple's Safari, Oracle VirtualBox, and VMware Workstation in Pwn2Own Vancouver 2019 contest, earning $240K in cash awards https://t.co/3xPtYOzSuf
— Rich Tehrani (@rtehrani) March 21, 2019

Hackers Take Down Safari, VMware, And Oracle At Pwn2Own https://t.co/s5vkQUfAfq #news
— packet storm (@packet_storm) March 22, 2019

Hackers Take Down Safari, VMware and Oracle at Pwn2Own https://t.co/iPmpXnuDjJ #CyberSecurity pic.twitter.com/LSsTNcTm2N
— Angelo G Longo (@aglongo) March 21, 2019

Apple Safari, Oracle VirtualBox and VMware Workstation were hacked on the first day of the #Pwn2Own 2019 hacking competition, earning researchers a total of $240,000 in cash. https://t.co/I3zGY9Mkjs
— Eduard Kovacs (@EduardKovacs) March 21, 2019

permanent link

Featured

Important Notice: Discontinuation of Our Wiki Service

Dear Valued Users,

We hope this message finds you well. We are writing to inform you of an important upcoming change to our services. After careful consideration and analysis, we have made the difficult decision to discontinue our wiki site, effective one month from 2024/04/30.

This was not an easy decision to make, as we understand the importance of the resources and community that have been built around our wiki. However, due to evolving market conditions and strategic realignments, we must redirect our resources and efforts towards other ventures that will allow us to serve you better in the future.

What This Means for You:

Access to Content: You will continue to have full access to all content on the wiki until the discontinuation date. We encourage you to save or migrate any content you wish to retain.
Final Date of Service: The wiki will become inaccessible starting 1st June 2024, after which all content will be permanently removed.

We are immensely grateful for the support and contributions of our user community throughout the years. The wiki is being retired, but our team will be back soon with new services and apps.

Thank you for being a part of our journey.

Warm regards,

editoy Inc.

Related

Featured