The annual Pwn2Own browser-hacking competition has risen to mythical status over the years, with tall tales of security researchers exploiting within minutes browser technologies thought to be secure. For their efforts, researchers have been awarded cash and prizes by the event’s sponsor, Hewlett-Packard’s Zero Day Initiative (ZDI).
HP has now released the rules for the upcoming 2014 event and is adding a new category never seen before in a security competition: the Exploit Unicorn.
The Exploit Unicorn is a challenge that will require the successful security researcher to bypass multiple levels of security on multiple technologies in order to win.
To claim the Exploit Unicorn, a security researcher will need to exploit Microsoft Windows Internet Explorer 11 running a on 64-bit Windows 8.1 operating system, with the Enhanced Mitigation Experience Toolkit (EMET) running.
The EMET hook is the real catch in the Exploit Unicorn challenge, providing a walled garden of security around an application that should make it near-impossible for an attacker to bypass, but that is the challenge. Whoever is able to claim the Exploit Unicorn will claim an impressive cash prize of $150,000 from HP.
Microsoft is not sponsoring this year’s Pwn2Own competition, Brian Gorenc, manager, vulnerability research for the HP Zero Day Initiative, told eWEEK.
“However, full details about any Microsoft vulnerabilities demonstrated at the contest, including the exploit techniques and EMET bypasses, will be disclosed to Microsoft following the competition, as we do for all vendors with products in the competition,” Gorenc said.
The Exploit Unicorn is the grand prize for the 2014 Pwn2Own event, and Gorenc said that the goal is to highlight the prowess of the best exploit developers in the world.
“We arbitrarily made it difficult and forced requirements they would not normally have to work around in a real-world situation, and are offering a significant prize package to attract the best of the best,” Gorenc said.
HP’s ZDI buys exploits year-round and, in fact, has been approached by a researcher looking to sell a Microsoft EMET bypass exploit.
The exploit didn’t meet the requirements for the upcoming 2014 Pwn2Own contest, but it demonstrates that researchers are looking at these protections for weaknesses, Gorenc said.
While the Exploit Unicorn is the grand prize of this year’s Pwn2Own event, researchers will still get a shot at claiming other prizes for exploiting browsers and their plug-ins. An attacker that is able to exploit Google Chrome on 64-bit Windows 8.1 x64 will be awarded $100,000. The same amount is available for an attacker that is able to exploit Microsoft Internet Explorer 11 on Windows 8.1 x64. HP is offering $65,000 for a successful exploit of Apple’s Safari browser running on the OS X Mavericks operating system.
An exploit of Mozilla Firefox on Windows 8.1 x64 will yield a $50,000 reward.
“Pwn2Own prizes are based on the difficulty required to develop a successful exploit,” Gorenc said. “When an application has a sandbox, the exploit developer is required to take extra steps to gain control and privilege levels they desire.”
Java Plug-In Exploits
Pwn2Own researchers also take aim at browser plug-ins, including Adobe’s Flash and PDFs, with exploits earning $75,000 each.
HP will also award researchers $30,000 for a successful Java plug-in exploit. Java is one of the most attacked technologies today.
“This year, we are requiring the contestants to bypass the new click-through screens that Oracle implemented, which adds an extra layer of complexity,” Gorenc said.
In general, the Pwn2Own event only awards one prize per category to the first researcher to successfully demonstrate an exploit. During the 2013 Pwn2Own competition, the decision was made to purchase all the bugs submitted and successfully demonstrated, Gorenc said.
“As it stands, we are offering one prize per category as we did last year; however, once registration closes, we’ll be able to make a call as to whether extra prizes can be awarded based on what has been submitted,” Gorenc said.
The Pwn2Own 2014 event will take place at the CanSecWest conference March 12-13 in Vancouver, B.C.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.