Posted on March 23, 2018 at 8:54 AM
White hat hackers have received a lot of prizes at this year’s Pwn2own security conference. Flaws have been exposed in all manner of big-name platforms, including Mozilla, Apple Safari, and more. Organizers have awarded a total of $267,000 in prizes over the two-day contest.
The Pwn2own contest took place on March 14 and 15 and challenged white hats with a thirty-minute task. Hackers were challenged to exploit zero-day flaws in products developed by Apple, Microsoft, Mozilla, and Oracle.
Competitors of note
Richard Zhu, online handle fluorescence, was the first challenger to attempt hacking Apple’s Safari browser, on March 14. He used a sandbox escape to hack the browser but was unsuccessful within the thirty minute time frame. He then turned his attention to Microsoft Edge and was able to break in using two use-after-free flaws. He won $70k for his work at the conference that day. The next day, he turned on Mozilla’s Firefox and successfully hacked the browser using out-of-bounds read flaw vulnerability and an integer overflow in the Windows kernel. He was able to enter FireFox with elevated privileges. That hack earned him $50k more. Zhu was also the overall winner of the contest, which grants the title of Master of Pwn.
Confirmed! @5aelo used a JIT optimization bug in the browser, a macOS logic bug, & a kernel overwrite to execute code to successfully exploit Apple Safari. This chain earned him $65K & 6 points Master of Pwn points. pic.twitter.com/iLfNFnXzzs
— Zero Day Initiative (@thezdi) March 15, 2018
Samuel Gross, from the phoenhex team, also targeted the Safari browser on March 14. He used a JIT optimization bug. He paired the JIT with a macOS logic bug and a kernel overwrite and was able to successfully break into Safari. He earned $65k for his work on Apple’s browser.
Congrats to @RZ_fluorescence on being named Master of Pwn for #Pwn2Own 2018! His exploits for Edge and Firefox earned him $120,000, this sweet jacket, and the trophy. We hope he returns in the future to defend his title. pic.twitter.com/ljKhmjJrHn
— Zero Day Initiative (@thezdi) March 16, 2018
Three hackers from Ret2 systems, Markus Gaasedelen, Nick Burnett and Patrick Biernat, took their shot at Safari with a macOS kernel EOP. It took the team four tries to exploit the browser, which unfortunately did not win them any prizes. The rules of the Pwn2own state that hackers have only three attempts to successfully hack a product.
Another team to test their mettle at Pwn2own was MWR Labs. Alex Plaskett, Georgi Geshev and Gabi Beterke attacked Safari with sandbox escape, like Zhu. Unlike the Master of Pwn, the team was successful in this gambit, because they were able to leverage a heap buffer underflow and an uninitialized stack variable in macOS. They won $55k for their efforts.
Sponsors and a mission for a better world
Pwn2own was held in Vancouver at CanSecWest, and invited hackers from around the globe to participate. The contest is sponsored by Trend Micro’s Zero Initiative. Findings made at the conference are reported to the vendors, in an effort to keep the web safer for us all.