Here’s what happened on the first two days of the Pwn2Own event.
What is Pwn2Own
Pwn2Own is a bi-yearly computer hacking competition held by Trend Micro’s Zero Day Initiative (ZDI) to inform tech firms about exploits and vulnerabilities in their products before threat actors can find them. It is held at the CanSecWest security conference.
The contest started in April 2007 in Vancouver. White hat hackers from around the world can participate to discover unknown vulnerabilities in widely used mobile devices and software. Winners receive a cash reward, known as bounty.
The latest edition of Pwn2Own is currently underway, and the cash pool is way higher than the previous year, with $1.5 million to be given away.
Here are all the details of what happened on the first two days Pwn2Own 2021.
First Day of Pwn2Own
On the first day, participants earned over half a million dollars, and five out of seven attempts were declared successful. Here are all the winners:
Team Devcore received $200,000 for successfully controlling a Microsoft Exchange server by binding authentication bypass and local privilege escalation vulnerabilities.
A researcher using the alias OV also received $200,000 for detecting MS Teams code execution exploit.
RET2 Systems’ Jack Dates earned $100,000 for identifying a kernel-level code execution exploit in the Safari web browser, leveraging an integer overflow and an out-of-bounds write bug.
Team Viettel was awarded $40,000 for reporting a Windows 10 local privilege escalation vulnerability.
Flatt Security’s Ryota Shiga received $30,000 for finding a privilege escalation bug in Ubuntu Desktop.
Hence, the biggest reward worth $440,000 was given out to researchers for exploiting Microsoft products.
This year, Pwn2Own will have an automotive category as well, mainly for hacking Tesla cars. Participants will be offered $600,000 and a vehicle. However, as of now, no one had registered for this category.
Pwn2Own Second Day
On the second day of Pwn2Own, two researchers Daan Keuper and Thijs Alkemade from Computest received a $200,000 cash reward for reporting a Zoom exploit via remote code execution. They used three vulnerabilities to perform remote code execution on the latest versions of Zoom and Windows 10.
Bruno Keith and Niklas Baumstark from Dataflow Security identified an exploit that worked on Chrome and MS Edge browser simultaneously and earned $100,000.
Though Parallel virtualization product hack attempts weren’t successful on the first day, on the second day, RET2 Systems’ Jack Dates and Sunjoo Park were successful with it and earned $40,000 each. They were able to execute code on the underlying OS via the Parallels Desktop app.
Two attempts to escalate privileges on Windows 10 were also successful, while one privilege escalation exploit on Ubuntu was also successful. Participants earned $40,000 and $30,000 for these exploits respectively.
Team Viettel secured a partial win after their attempt to hack MS Exchange was successful, but they leveraged a flaw that was used in the competition previously.
Stay tuned for the Day 3 update.