Pwn2Own 2013: Java 7 SE Memory Corruption

By Joshua J. Drake ·

Back in March, during CanSecWest, the Zero Day Initiative (ZDI) team held their annual competition called Pwn2Own. This competition pits modern software against skilled and determined attackers. A successful contestant must be able to achieve arbitrary code execution on state-of-the-art operating systems by exploiting up-to-date applications. At a minimum, a winning entry requires the use of one "0-day" vulnerability. However, due to countermeasures, some successful exploits require three or more distinct vulnerabilities. Such a requirement increases the cost for attackers significantly and makes Pwn2Own more challenging.

This year, I was fortunate enough to be among the winners of Pwn2Own. During the competition, I demonstrated an exploit that utilized two distinct memory corruption vulnerabilities in version 7 of Oracle's Java Runtime Environment (JRE). This effort was the latest product of the research I’ve conducted into exploiting memory corruption issues in Oracle's JRE for the past four years.

Now that Oracle and ZDI have both released their public advisories for these issues, we felt the time was right to publish the full details of our entry into the competition. Accuvant LABS is pleased to announce the immediate availability of the exploit code and a white paper. The white paper explains the vulnerabilities, primitives, and exploitation techniques used to win the Pwn2Own competition. Our hope is that you will find this information helpful in your future endeavors. 

Shameless plug: Check out the upcoming “Android Hacker’s Handbook”.

Papers:

application-pdf Pwn2Own 2013 - Java 7 SE Memory Corruption.pdf

Security Tools:

package-x-genericpwn2own2013-jre7.zip