The annual Pwn2own browser-hacking competition at the CanSecWest conference in Vancouver, Canada, started March 16 with $282,500 awarded in first-day prizes.
Hewlett Packard Enterprise and Trend Micro are jointly sponsoring this year’s Pwn2own event. As part of the first day, a group of researchers identified as the 360Vulcan Team were the big winners, walking away with $132,500 in prize money for exploiting Adobe Flash and Google Chrome. The Flash exploit made use of a type confusion bug in Adobe Flash as well as a vulnerability in Microsoft’s Windows 10.
“The [Windows] kernel vulnerability was a use-after-free vulnerability,” Christopher Budd, global threat communications manager at Trend Micro, told eWEEK. “They successfully chained both of these to compromise the target at the system level.”
For the Flash and Windows chained exploit, the 360Vulcan Team received $80,000. The second exploit demonstrated by 360Vulcan Team was against Google’s Chrome and made use of four new zero-day vulnerabilities, two use-after-free vulnerabilities in Adobe Flash, one use-after-free vulnerability in the Windows Kernel and an out-of-bounds vulnerability in Google Chrome. For the Chrome exploit, 360Vulcan Team was awarded $52,500.
Independent security researcher JungHoon Lee earned $60,000 on the first day of Pwn2own 2016 by exploiting Apple’s Safari browser. Lee found four vulnerabilities in total, including issues in Safari as well as Apple’s OS X desktop operating system.
“One of the vulnerabilities was in Safari, the other three were vulnerabilities within Mac OS X,” Budd said.
Chinese corporation Tencent is well-represented at Pwn2own 2016, with three teams competing—Sniper, Shield and Xuanwu. Tencent’s Team Sniper earned $50,000 on the first day of Pwn2own by successfully demonstrating a new attack against Adobe Flash that exposed a new out-of-bounds vulnerability in Flash and a use-after-free vulnerability in Windows.
Tencent’s Team Shield’s attention was on Apple’s Safari, where the group was able to find three new vulnerabilities. One of the vulnerabilities is a use-after-free memory issue in Safari while the other is in a Mac OS X privileged process. For their efforts in attacking Safari on OS X, Tencent’s Team Shield was awarded $40,000.
Day Two of Pwn2own 2016 includes Tencent’s Team Sniper taking another shot at exploiting Apple’s Safari. JungHoon Lee will be attempting to exploit the Microsoft Edge browser as well as Google Chrome. Tencent’s Team Shield will use the second day of Pwn2own to attempt to exploit Microsoft Edge as well.
One target that isn’t being attempted by security researchers is VMware Workstation. As part of the contest, there is an award for a researcher who is able to execute a hypervisor escape from the VMware Workstation virtual machine on which the Windows-based browsers will be running. Budd isn’t surprised that no researcher has decided to try and attack VMware Workstation.
It’s a new vector for attack, and one that can be particularly challenging,” Budd said. “Given the amount of time required for adequate research, it’s not surprising that no one has signed up this year. However, we do expect to see people sign up for this next year.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.