Pwn2Own 2019 has yet again proved that a secure system is nothing else but a myth. In its two days running, the contest has claimed many high-profile victims including the likes of Tesla, Firefox, and Safari. Pwn2Own is an annual hacking contest held in Vancouver alongside the CanSecWest conference.
In the contest, hackers are required to identify flaws in security mechanisms of popular software and operating systems such as MacOS and Windows 10. Hackers have so far taken down MacOS Safari, Windows Edge and Firefox and have run code on native hardware of two VMs (virtual machines).
First Day Achievements at Pwn2Own:
On the first day of Pwn2Own, hackers Amat Cama and Richard Zhu working with Fluoroacetate team discovered flaws in Apple Safari browser through evading the sandbox using an integer overflow and brute force technique to win $55,000. It is worth noting that this was the very first of the three successes of Fluoroacetate team that day.
Later on, Zhu and Cama shifted their focus on Oracle’s VirtualBox, an open-source x86-class computers’ hypervisor and performed pop calc on it through an integer overflow and race condition for escalating from the virtual client. Their first attempt wasn’t a success but in the second attempt, they managed to align everything and executed the code successfully to earn $35,000.
Their third successful accomplishment was compromising the VMware Workstation, which they pulled off by race condition leveraging. They chained it to an out-of-bounds write and jumped from the virtual client to execute the code on the host operating system and earn $70,000.
STAR Labs’ Anhdaden team was also successful in compromising the Oracle VirtualBox by using an integer underflow to escalate from the virtual client. They were able to execute the code on the VirtualBox at medium integrity. Their technique of using the integer underflow was quite different from Fluoroacetate team’s method. Anhdaden was awarded $35,000 for this achievement.
Phoenhex and Qwerty Team hackers who could only be identified from their Twitter IDs namely @_niklasb, @qwertyoruiopz, and @bkth_ also managed to hack Apple Safari using a kernel elevation and secured a full system compromise. They visited the website to trigger a JIT bug and later escalated from root to kernel through various out-of-bounds and Time-of-Check-Time-of-Use bug. However, they were partially credited for their efforts since one of the bugs was already known to Apple. They received a cash amount of $45,000 nonetheless.
Second Day Achievements at Pwn2Own:
Pwn2Own’s second day brought to light the vulnerabilities in Microsoft Edge and Mozilla Firefox browsers. After having a wonderful first day, team Fluoroacetate’s Amat Cama and Richard Zhu were on a roll on Thursday as well. They managed to leverage a JIT bug in Mozilla Firefox and used an out-of-bounds write exploit in the Windows kernel and could control the system with a one-two punch. They could execute code at SYSTEM level through Firefox and earned $50,000.
The team also managed to target Microsoft Edge using a kernel escalation and VMware escape. They basically used a confusion inherent in Edge browser, which is a race condition in the kernel and then through an out-of-bounds VMware write to get to a virtual client from the browser and execute code in the host operating system. For their achievements, they were awarded 13 Master of Pwn points, and earned $130,000.
Furthermore, Niklas Baumstark managed to target Firefox using a sandbox escape facilitated by a JIT bug and a logic bug and earned 4 Master Pwn points as well as $40,000. Exodus Intelligence’s Arthur Gerkis also attacked Microsoft Edge using a double free in the render as well as a logic bug with which he managed to escape the sandbox and earned $50,000.
Day Three Achievements at Pwn2Own:
Day three at the Pwn2Own was difficult for Tesla as team KunnaPwn targeted Tesla Model 3’s VCSEC component. However, the team later withdrew their entry. On the other hand, Amat Cama and Richard Zhu managed to compromise the same vehicle’s infotainment system using a JIT bug to win $35,000 and the vehicle.
More on Pwn2Own is available here.