The popular hacker competition Pwn2Own hacked the operating systems Windows 10, Ubuntu, as well as Google Chrome and Zoom.
The first to demonstrate a successful Windows 10 exploit and make $ 40,000 was contributor Tao Yang of Palo Alto Networks, who used the Race Condition error to escalate privileges from a regular user to SYSTEM on a fully functional Windows 10 computer.
The second time around, Windows 10 was hacked using an undocumented integer overflow vulnerability to escalate permissions to NT Authority \ SYSTEM. A successful hack was demonstrated by a participant with the nickname z3r09. He also made $ 40,000 after elevating a privilege from a regular (unprivileged) user.
Microsoft's operating system was hacked for the third time during the first day of the Pwn2Own competition by the Viettel team, which elevated the privileges of a regular user to SYSTEM using another previously unknown integer overflow error.
The Viettel team also demonstrated a chain of code execution exploits on a Microsoft Exchange Server on the second day of the competition. However, their participation was considered partially successful given that some of the bugs they used were previously reported on the first day of competition by the Devcore team.
Confirmed! Tao Yan (@Ga1ois) of Palo Alto Networks used a Race Condition bug to escalate to SYSTEM on a fully patched #Windows 10 box. He earns $40,000 and 4 Master of Pwn points. #Pwn2Own pic.twitter.com/XQw14DvkfU
— Zero Day Initiative (@thezdi) April 7, 2021
On the second day of the competition, researchers Bruno Keith and Niklas Baumstark of Dataflow Security also earned $ 100,000 for the discovery of a type mismatch vulnerability in the Chromium-based Google Chrome and Microsoft Edge browsers.
Not spared and Zoom, the program was compromised by researchers Daan Keuper and Thijs Alkemade from companies Computest. They made $ 200,000 by running code on a target machine using a chain of exploits combining three different bugs.
Last but not least, the Ubuntu Desktop operating system was hacked for the second time by researcher Manfred Paul, who managed to gain root privileges and earned $ 30,000.
During the first two days of the Pwn2Own 2021 competition, security researchers topped the $ 1 million mark for the first time after successfully demonstrating exploits that netted them a total of $ 1,060,000.
Once vulnerabilities have been exploited and disclosed on Pwn2Own, hardware and software vendors are given 90 days to release security patches for all discovered vulnerabilities.
The total prize pool for the 2021 Pwn2Own competition is $ 1,500,000, as well as the Tesla Model 3 electric car. However, according to the publicly available timetable, none of the 23 participating teams have so far dared to demonstrate an exploit aimed at a Tesla vehicle.
In 2019, the Fluoroacetate team won the Tesla Model 3 electric car in the Pwn2Own competition by hacking into the electric car's infotainment system, which was based on the Chromium engine. The Fluoroacetate team also raised $ 375,000 from the Pwn2Own 2019 competition after successfully demonstrating multiple exploits targeting Apple Safari, Oracle VirtualBox, VMware Workstation, Mozilla Firefox, and Microsoft Edge.
0 Comments