Researchers rake in $280K at Pwn2Own hacking contest
Research teams Wednesday cracked Microsoft’s Internet Explorer 10 (IE10), Google’s Chrome and Mozilla’s Firefox at the Pwn2Own hacking contest, pulling in more than $250,000 in prizes.
Earlier in the day, a solo hacker exploited Oracle’s Java to win $20,000.
Vupen, a French vulnerability research and bug-selling firm that took first place at Pwn2Own last year, brought down IE10 running on a Windows 8 powered Surface Pro tablet by exploiting a pair of flaws.
“We’ve pwned [Microsoft’s] Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass,” Vupen announced on Twitter Wednesday afternoon.
HP TippingPoint, whose Zero Day Initiative (ZDI) bug bounty program is co-sponsoring Pwn2Own this year—Google has also pumped money into the contest—confirmed the Vupen hack in a tweet of its own.
According to Pwn2Own’s rules, which were dramatically revised from 2012’s challenge, the first researcher or team of researchers to hack IE10 on Windows 8 wins a $100,000 cash prize, plus the machine hosting the browser target.
Toward the end of the day, Vupen followed up with an exploit of Firefox 19 on Windows 7, collecting another $60,000.
Pwn2Own started Wednesday at the CanSecWest security conference in Vancouver, British Columbia, and will run through Friday.
Also on Wednesday, a two-man team from MWR Labs, an arm of UK-based MWR InfoSecurity, hacked Chrome 25 on Windows 7 by exploiting multiple “zero-day,” or unpatched, vulnerabilities in the browser and operating system.
Like the Vupen hack of IE10, MWR Labs’ exploit of Chrome resulted in a complete bypass of Windows anti-exploit “sandbox” technology. The MWR Labs researchers who found the bugs, built the exploits, and demonstrated their skills at Pwn2Own were Nils — a young German who is known only by his first name — and Jon Butler. Nils has a Pwn2Own history: He won $10,000 by hacking Mozilla’s Firefox in 2010, and $15,000 the year before for exploiting Firefox, IE8 and Apple’s Safari.
Nils and Butler described their Chrome hack in a brief blog post Wednesday, outlining how they defeated Windows’ security defenses, including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
For their work, Nils and Butler received $100,000.
At the opening of the contest, a pair of solo researchers—James Forshaw, a principal consultant at Context Information Security in the U.K., and Joshua Drake of Accuvant—exploited Oracle’s Java. Forshaw, who took his jabs first, won $20,000, Pwn2Own’s lowest-priced prize. Vupen also successfully hacked Java 7 with a vulnerability and exploit of its own.
In a departure from the original rules, ZDI said that it would purchase all successful vulnerabilities and their associated exploits from researchers, even those that were not awarded prizes. It did not say how much hackers would earn by selling such secondary flaws: ZDI and other bug bounty programs typically are tight-lipped about what they pay.
Several prizes went unclaimed Wednesday, including the two $70,000 awards for Adobe’s Flash Player and Adobe Reader on Windows 7, and the $65,000 check for Safari on OS X Mountain Lion. Flash and Reader are slated to be attacked today.
Google’s own contest, Pwnium 3, kicks off Thursday at CanSecWest when Chrome OS—the search giant’s browser-based operating system—will be targeted by researchers. Pwnium 3 is notable for the $3.14 million Google has set aside for potential awards, and for the individual prizes of as much as $150,000 for each successful exploit.
This is Pwn2Own’s eighth year, but the total prize pool of more than a half million dollars is a record for the contest.
More information about Pwn2Own can be found on TippingPoint’s blog.