Apple’s Safari, Ubuntu Desktop and Windows 10 all fell victim to the efforts of white hat hackers participating in this year’s Pwn2Own competition – with organiser Trend Micro paying out $180,000 for nine bugs across three categories, on Day One of the event alone.
Pwn2Own is an annual hacking competition that started in 2007, and which has grown to be one of the most prominent events in the security industry calendar. It is typically held in Vancouver at the CanSecWest conference, but last week Trend Micro announced that it would not be attending the event – and would be running the competition remotely.
The event tasks security researchers with uncovering vulnerabilities across operating systems, browsers and more.
This year, more than $1 million in cash and prizes are available to contestants, as well as a new Tesla Model 3 (also a target).
Two days in to Pwn2Own, Here’s What’s Been Popped.
On Day One, last year’s overall winners Fluoroacetate (Amat Cama and Richard Zhu) tapped a use-as-free (UAF) in Windows to escalate from a regular user to SYSTEM, earning them $40,000.
This was one of two Windows exploits paid out for on Day One alone.) Zhu earlier exploited another UAF in Windows 10, earning a further $40,000.
On Day Two, the same team targeted Adobe Reader with a Windows local privilege escalation, using a pair of UAFs (Acrobat and the Windows kernel) to elevate privileges. They earned $50,000, meaning the duo have hit $130,000 for two days’ work.
Insu Yun of the Georgia Tech SSL Team confirms the root shell on his team’s exploitA team from Georgia Tech Systems Software & Security Lab (@SSLab_Gatech) consisting of Yong Hwi Jin, Jungwon Lim, and Insu Yun meanwhile targeted Safari with a macOS kernel escalation of privilege to earn a chunky $70,000.
As Trend Micro noted: “They chained together six unique bugs starting with a JIT vulnerability and ending with TOCTOU/race condition to escape the sandbox and pop a root shell. They also disabled System Integrity Protection (SIP) on the device to demonstrate that they achieved kernel-level code execution.”
Manfred Paul of the RedRocket CTF team chose to target the Ubuntu Desktop with a local privilege escalation (LPE) exploit. He leveraged an improper input validation bug in the kernel to go from a standard user to root. His first foray into the world of Pwn2Own earned him $30,000.
Day Two
Phi Phạm Hồng (@4nhdaden) of STAR Labs (@starlabs_sg) targeted Oracle VirtualBox in the Virtualization category to kick off Day Two.
He used an out-of-bounds read and an unitialised variable for code execution on the hypervisor to pop the box, earning himself $40,000.
The Synacktiv team of Corentin Bayet (@OnlyTheDuck) and Bruno Pujos (@BrunoPujos) were up next. They targeted the VMware Workstation in the Virtualisation category but were utimately demonstrate their exploit in the time allotted.
The day finished with a special demonstration from Lucas Leong (@_wmliang_) of the Zero Day Initiative against Oracle VirtualBox (video replay above).
See also: HackerOne CEO Mårten Mickos on the Devil, Zero Days, and the Powers of a “Hacker Army”
Banner image shows Amat Cama and Richard Zhu. Credit: Trend Micro.