Qihoo 360 team at Pwn2Own 2017 competition
Cybersecurity researchers from Qihoo 360 won the top prize at Pwn2Own 2017 for successfully escaping from a VmWare virtual machineKaspersky Lab

A group of hackers have finally succeeded in hacking VMWare's virtual machine and breaking out of the sandbox at the Pwn2Own 2017 security competition held in Vancouver, Canada.

A team of white hat hackers from Chinese internet security firm Qihoo 360 succeeded in escaping a VMWare Workstation to win the grand prize of $105,000 (£80,130) on the third day of the Pwn2Own 2017, part of the Zero Day Initiative programme to reward cybersecurity researchers for disclosing security bugs responsibly.

In a first for the competition, the team managed the exploit by leveraging a heap overflow in the Microsoft Edge web browser, a type confusion in the Windows kernel and an uninitialised buffer in VMware Workstation to make a complete virtual machine escape.

"We used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used a Windows 10 kernel bug to escape from it and fully compromise the guest machine," the team's leader Qihoo 360 Executive Director Zheng Zheng told The Verge.

"Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one. All started from, and only by, controlling a website."

The team will not say how long it took them to figure out this exploit, but it took only 90 seconds to demonstrate and execute the exploit.

The importance of virtual machines

VMWare's virtual machine is designed to enable users to run two different operating systems at once, with one operating system running in another window within the first operating system — sort of like a computer within a computer.

Virtual machines are very useful as they enable software developers to test bugs in software in a safe enclosed environment known as a 'sandbox' without the software causing their main machine to crash. This same technique is also used by cybersecurity researchers to safely test out the malicious properties of malware.

But it goes further than development. In a server, virtual machines are used to fence off one customer's data and operating system from other users accessing the same server, so the exploit has significant consequences.

Pwn2Own has invited hackers to compromise virtual machines before, but in 2016 no one even wanted to attempt to crack the technology, so the competition organisers raised the prize amount from $75,000 to $100,000. And since the Qihoo 360 team also discovered vulnerabilities in Edge and the Windows kernel, this earned them an additional $5,000.

Separately, the team also found a security bug in Adobe Reader and two Windows kernel bugs that helped them take down Reader, earning an additional $50,000, which earned them the "Master of Pwn" award at the end of the competition.