Bug hunters have gathered again to test their skills against some of the most popular and mature software programs during the Pwn2Own hacking contest. During the first day, they successfully demonstrated exploits against Microsoft Edge, Apple’s Safari, Adobe Reader, and Ubuntu Desktop.
The Pwn2Own contest runs every year during the CanSecWest security conference in Vancouver, Canada. It’s organized and sponsored by the Zero Day Initiative (ZDI), an exploit acquisition program operated by Trend Micro after its acquisition of TippingPoint.
This year the contest has a prize pool of US$1 million for exploits in five categories: virtual machines (VMware Workstation and Microsoft Hyper-V); web browser and plugins (Microsoft Edge, Google Chrome, Mozilla Firefox, Apple Safari, and Flash Player running in Edge); local escalation of privilege (Windows, macOS, and Ubuntu Desktop); enterprise applications (Adobe Reader, Word, Excel, and PowerPoint) and server side (Apache Web Server on Ubuntu Server).
On the contest’s first day, two teams managed to take down Adobe Reader and combined other Windows kernel flaws into their attacks to achieve system-level privilege escalation. The team from Chinese security company 360 Security won $50,000 for their exploit chain, and the team from China-based internet company Tencent won $25,000.
Apple’s Safari was also exploited two times, first by a team made up of researchers Samuel Groß and Niklas Baumstark and later in the day by a team from the security research lab of China-based Chaitin Technology.
Both attacks combined different vulnerabilities resulting in arbitrary code execution as root on Apple’s macOS. The Groß and Baumstark attack chain was considered only a partial success and was rewarded with $28,000, compared to $35,000 for Chaitin’s exploit.
The Tencent security team also hacked Microsoft Edge and used a second bug to escape the browser’s sandbox. Edge, along with Chrome, are considered the hardest browsers to hack due to their sandbox mechanisms.
Tencent won $80,000 for its Edge exploit and later tried to hack Chrome too, but failed to complete its exploit chain in the allotted time.
The Chaitin Security Research Lab team also successfully demonstrated a kernel privilege escalation on Ubuntu Desktop that earned them $15,000.
There were also a few other failures and withdrawals. A researcher named Richard Zhu targeted Safari on macOS but failed to complete his attack in time. Researcher Ralf-Philipp Weinmann withdrew from his attempt to hack Microsoft Edge, and the Tencent team withdrew from their plan to demonstrate a privilege escalation on Windows.
No one attacked the hypervisors or the Apache web server yet, but the contest runs for one more day. A successful virtual machine escape is worth $100,000 and a compromise of Ubuntu Server through an Apache exploit will be rewarded with $200,000.
The researchers are required to share their exploits with the organizers who then share them with the affected software vendors so they can be patched. Trend Micro also uses the information to create detection signatures for its TippingPoint intrusion prevention systems.