View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Pwn2Own: Oracle, Safari, Ubuntu, Windows 10 Among the Early Victims

Competition pays out $190,000 for exploits on Day 1...

By CBR Staff Writer

Apple’s Safari, Ubuntu Desktop and Windows 10 all fell victim to the efforts of white hat hackers participating in this year’s Pwn2Own competition – with organiser Trend Micro paying out $180,000 for nine bugs across three categories, on Day One of the event alone.

Pwn2Own is an annual hacking competition that started in 2007, and which has grown to be one of the most prominent events in the security industry calendar. It is typically held in Vancouver at the CanSecWest conference, but last week Trend Micro announced that it would not be attending the event – and would be running the competition remotely.

The event tasks security researchers with uncovering vulnerabilities across operating systems, browsers and more.

This year, more than $1 million in cash and prizes are available to contestants, as well as a new Tesla Model 3 (also a target).

Two days in to Pwn2Own, Here’s What’s Been Popped. 

On Day One, last year’s overall winners Fluoroacetate (Amat Cama and Richard Zhu) tapped a use-as-free (UAF) in Windows to escalate from a regular user to SYSTEM, earning them $40,000.

This was one of two Windows exploits paid out for on Day One alone.) Zhu earlier exploited another UAF in Windows 10, earning a further $40,000.

On Day Two, the same team targeted Adobe Reader with a Windows local privilege escalation, using a pair of UAFs (Acrobat and the Windows kernel) to elevate privileges. They earned $50,000, meaning the duo have hit $130,000 for two days’ work.Pwn2own

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Insu Yun of the Georgia Tech SSL Team confirms the root shell on his team’s exploitA team from Georgia Tech Systems Software & Security Lab (@SSLab_Gatech) consisting of Yong Hwi Jin, Jungwon Lim, and Insu Yun meanwhile targeted Safari with a macOS kernel escalation of privilege to earn a chunky $70,000.

As Trend Micro noted: “They chained together six unique bugs starting with a JIT vulnerability and ending with TOCTOU/race condition to escape the sandbox and pop a root shell. They also disabled System Integrity Protection (SIP) on the device to demonstrate that they achieved kernel-level code execution.”

Manfred Paul of the RedRocket CTF team chose to target the Ubuntu Desktop with a local privilege escalation (LPE) exploit. He leveraged an improper input validation bug in the kernel to go from a standard user to root. His first foray into the world of Pwn2Own earned him $30,000.

Day Two 

Phi Phạm Hồng (@4nhdaden) of STAR Labs (@starlabs_sg) targeted Oracle VirtualBox in the Virtualization category to kick off Day Two.

He used an out-of-bounds read and an unitialised variable for code execution on the hypervisor to pop the box, earning himself $40,000.

The Synacktiv team of Corentin Bayet (@OnlyTheDuck) and Bruno Pujos (@BrunoPujos) were up next. They targeted the VMware Workstation in the Virtualisation category but were utimately demonstrate their exploit in the time allotted.

The day finished with a special demonstration from Lucas Leong (@_wmliang_) of the Zero Day Initiative against Oracle VirtualBox (video replay above).

See also: HackerOne CEO Mårten Mickos on the Devil, Zero Days, and the Powers of a “Hacker Army”

Banner image shows Amat Cama and Richard Zhu. Credit: Trend Micro. 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU