Pwn2Own says C/C++ causes root
April 28, 2016  

Maybe this is beating a dead horse but I can’t help it. I just ran across @pwnallthethings‘ breakdown of the exploits used at last month’s Pwn2Own contest:

  1. Google Chrome to SYSTEM (360Vulcan)
    • 2x UAF in Flash -> browser
    • Out-of-bounds in Chrome -> broker (duplicate)
    • Kernel out-of-bounds -> SYSTEM
  2. Adobe Flash to SYSTEM (360Vulcan)
    • Flash type confusion -> browswer
    • Windows kernel UAF -> SYSTEM
  3. Google Chrome (lokihardt)
    • Unknown—exploit failed
  4. Microsoft Edge to SYSTEM (lokihardt)
    • Uninitialized stack var -> browser
    • Dir traversal -> SYSTEM
  5. Apple Safari to root (lokihardt)
    • UAF in Safari -> browser
    • Two undisclosed vulns (presumably one KASLR)
    • Heap overflow -> root
  6. Apple Safari to root (Tencent Security Team Shield)
    • UAF in Safari -> browser
    • UAF in daemon -> root
  7. Adobe Flash to SYSTEM (Tencent Security Team Shield)
    • Unknown—exploit failed
  8. Microsoft Edge to SYSTEM (Tencent Security Team Sniper)
    • Out-of-bounds in Edge -> browser
    • Kernal heap overflow -> SYSTEM
  9. Adobe Flash to SYSTEM (Tencent Security Team Sniper)
    • Out-of-bounds in Flash -> browser
    • +KASLR in Windows
    • Windows UAF -> SYSTEM
  10. Apple Safari with root (Tencent Security Team Sniper)
    • UAF in Safari -> browser
    • Out-of-bounds in OSX kernel -> root
  11. Adobe Flash to SYSTEM (Tencent Xuanwu Lab)
    • Unknown—exploit failed

UAF (use-after-free), overflow, out-of-bounds, and type confusion are memory corruption bugs. The uninitialized stack var is probably a memory corruption bug. That’s the great majority of the bugs (there are only two KASLR bugs, which are usually information leaks and not memory corruptions.)

In short, when you offer a large cash reward to any hacker who can exploit your software and achieve root, their go-to bugs are memory corruption bugs in C/C++ code.