On the second day of the 10th annual Pwn2Own hacking competition, researchers demonstrated an unparalleled number of zero-day exploits in fully patched operating systems and web browsers. By the time the dust had clear late in the day on March 16, 11 out of 17 attempts at exploiting systems were successful, with researchers walking away with $340,000 in prize money.
On the first day of the Pwn2Own event, which is operated by Trend Micro’s Zero Day Initiative (ZDI) at the CanSecWest conference in Vancouver, researchers were awarded $233,000 for exploiting Microsoft Edge, Apple Safari, Adobe Reader and Ubuntu Linux.
The first exploit of the second day was found by researchers from 360 Security, who earned $40,000 for a chain of vulnerabilities that were able to exploit Adobe Flash. Tencent Security Team Sniper researchers were also able to exploit Flash, although through a different set of previously unknown issues, and were awarded $40,000 for their efforts.
Tencent Security Team Sniper was also able to successfully exploit the Microsoft Edge web browser with a pair of use-after-free (UAF) vulnerabilities. ZDI awarded Team Sniper $55,000 for the Microsoft Edge exploit.
While researchers at past Pwn2Own events often just targeted web browsers, the Microsoft Windows operating system was a valid target at the 2017 event, being exploited multiple times. Researchers from 360 Security found an out-of-bounds (OOB) Windows kernel bug, earning themselves a $15,000 award. Tencent Security Team Sniper followed up by demonstrating an integer overflow vulnerability in the Windows kernel, also earning a $15,000 award from ZDI.
Apple’s macOS and Safari web browser weren’t spared at this year’s Pwn2Own. On the second day of the event, the team from 360 Security was awarded $35,000 for an exploit chain that included an integer overflow vulnerability in Safari combined with a UAF vulnerability in the macOS kernel. The team was awarded an additional $10,000 for a race condition flaw in macOS that enabled privilege escalation.
The team of researchers from Chaitin Security Research Lab was also awarded $10,000 for demonstrating a different privilege escalation attack vector that made use of an
OOB bug as well as an information leak issue.
After not being part of the 2016 Pwn2Own event, Mozilla’s Firefox web browser was a target at the 2017 event. The team from Chaitin Security Research Lab was able to successfully exploit Firefox running on Microsoft Windows, earning $30,000. The Firefox exploit involved the use of an integer overflow flaw as well and an uninitialized memory buffer in the Windows kernel.
While there were many successful attempts on the second day of Pwn2Own, there were also more failed attempts than at any other Pwn2Own event over its decade-long history. In total, on the second day of the event three research teams withdrew their attempts, there were two disqualified attempts and two entries were outright disqualified.
“The disqualifications were due to the bugs being already known either to ZDI or the vendor,” Dustin Childs, director of communication for ZDI, told eWEEK. “As such, they don’t qualify for this zero-day contest.”
Childs added that the withdrawals were a combination of bugs getting patched and exploit instability.
“Between enhanced mitigations and aggressive patching from vendors, it has become difficult to complete a full exploit chain,” Childs said. “The successful bugs we saw today showed some advanced research and creative thinking—especially the bugs inspired by previous ZDI advisories.”
Pwn2Own 2017 concludes on March 17 with three more scheduled exploit attempts, two of which target VMware’s virtualization technology.