Over the last decade, the Zero Day Initiative’s (ZDI) annual Pwn2Own competition has emerged to become one of the premiere events on the information security calendar and the 2017 edition does not look to be any different. For the tenth anniversary of the Pwn2Own contest, ZDI, now owned and operated by Trend Micro, is going farther than ever before, with more targets and more prize money available for security researchers to claim by successfully executing zero-day exploits.
HPE sold its TippingPoint division, which includes ZDI, for $300 million to Trend Micro in 2016 and the Pwn2own event that year was hosted as a joint effort between the two companies. By the end of the two-day event in 2016, $460,000 in prize money was awarded to researchers that demonstrated a total of 21 zero-day vulnerabilities.
The Pwn2Own 2017 event is co-located at the CanSecWest conference in Vancouver, Canada, set for March 15-17. The 2017 event is sponsored by Trend Micro and unlike past Pwn2Own events, is not focused on web browsers.
Among the targets this year are Virtual Machines, including both VMware and Microsoft Hyper-V systems. Researchers will need to execute a virtualization hypervisor escape from the guest virtual machine, to run arbitrary code on the underlying host operating system. ZDI will pay a $100,000 reward to the security researcher that is able to successfully execute a Virtual Machine escape.
“We’re always considering new targets for each year,” Brian Gorenc, senior manager of vulnerability research with Trend Micro, told eWEEK.
Outside of the Pwn2Own event, ZDI is in the business of acquiring security vulnerabilities from researchers. Gorenc added that ZDI is actively acquiring virtual machine escapes through its’ program.
“Hopefully Pwn2Own will raise awareness among researchers, so we see even more of these reports,” Gorenc said.
While virtual machines are on the target list for Pwn2Own, Docker containers are not. Gorenc noted that containers weren’t really a consideration for this year’s contest.
Linux
Pwn2Own has targeted Apple’s macOS and Microsoft Windows based technologies for the past decade, but in 2017, the open-source Linux operating system has finally made the target list.
Pwn2Own researchers will specifically be able to target the Ubuntu 16.10 Linux operating system in a pair of separate challenges, one for privilege escalation, the other for server-side web host exploitation.
Researchers that target Linux will be awarded $15,000 if they can leverage a kernel vulnerability to escalate privileges. The same feat on Windows will earn a researcher $30,000, while a macOS escalation of privilege will be rewarded with $20,000.
Ubuntu Linux systems can be secured with an additional layer of mandatory access control security known as ‘AppArmor’ that in some cases would limit the risk of a local user privilege escalation exploit. Gorenc noted that for the Pwn2Own contest, ZDI is not setting up any AppArmor profiles for this year’s event.
On the server side, the ZDI will award a successful exploit against the open-source Apache Web Server running on Ubuntu 16.10 Linux with a $200,000 prize.
Web Browsers
Once again web browsers are a key target at Pwn2Own, with successful exploitation of Microsoft’s Edge browser or Google Chrome worth $80,000. A successful exploit of Apple’s Safari will be rewarded with a $50,000 prize.
After not being part of the 2016 event, Mozilla’s Firefox web browser is back on the Pwn2Own target list of 2017. A successful exploit of Firefox will earn $30,000.
“Mozilla improved their security enough for us to warrant their re-inclusion in the contest,” Gorenc said.
Additionally the 2017 Pwn2Own event will award researchers $50,000 for each successful exploit of Adobe Reader, Microsoft Office Word, Excel and PowerPoint. The total prize pool available for researchers is more than any other Pwn2Own event has ever offered.
“Much of the final tally will depend on how many entries we have,” Gorenc said. “We’re definitely over $1 million, which is our largest Pwn2Own ever.”
After 10 years of running Pwn2Own events, it’s likely that the hacking challenge will continue for many more years to come.
“While it would be great to live in a world with perfect security, we know this isn’t really practical,” Gorenc said. “A lot of great research has been through the contest and inspired by the contest – research which ended up improving security for everyone.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.