Pwn2Own is a computer hacking contest held annually and this year hackers discovered vulnerabilities in Mozilla Firefox, Microsoft Edge and Tesla Model 3 and earned earned $510,000 in this contest.

At Pwn2Own annual hacking competition where hackers demonstrated new zero-day bugs and awarded by Trend Micro’s Zero Day Initiative (ZDI).

Day #1

Richard Zhu and Amat Cama (Team Fluoroacetate) target Apple Safari
Richard Zhu and Amat Cama (Team Fluoroacetate) target Apple Safari

The first day of contest started with the team Fluoroacetate (Amat Cama and Richard Zhu) exploiting Apple Safari browser. They were successfully able to exploit the browser and escaped the sandbox by using integer overflow in safari and heap overflow to escape the sandbox. They used a brute force technique during sandbox escape which took the entire allocated time the code would fail then try again until it succeeded. This earned them $55,000 USD and 5 points.

Amat Cama and Richard Zhu (Team Fluoroacetate) demonstrate their Oracle VirtualBox exploits
Amat Cama and Richard Zhu (Team Fluoroacetate) demonstrate their Oracle VirtualBox exploits

The Fluoroacetate duo returned targeting Oracle VirtualBox. Although their first attempt failed, the second attempt successfully aligned which earned them $35,000 USD and 3 more points.

In their final entry for the first day, The Fluoroacetate also targeted VMware Workstation which got them $70,000 USD and 7 additional points. This result for the total of $160,000 and 15 points.

anhdaden of STAR Labs shows off his successful Oracle VirtualBox demonstration

anhdaden from STAR Labs also targeted Oracle VirtualBox. His first foray into Pwn2own netted him $35,000 USD and 3 points.

The phoenhex and qwerty team show off their Safari exploit

The final team phoenhex & qwerty (@_niklasb  @qwertyoruiopz and @bkth_) exploited Apple Safari with kernel elevation. Browsing to their website, they triggered a JIT Bug followed by a heap out of bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug. Unfortunately, it was only a partial win since Apple already know of one of the bugs used in the demo. Still, they earned themselves $45,000 USD and 4 points towards Master of Pwn.

Day #2

The second day began with Fluoroacetate duo of Amat Cama and Richard Zhu exploiting Mozilla Firefox web browser. They leveraged a JIT bug in the browser, then used an out-of-bounds write in the Windows kernel to effectively take over the system. They were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website. The effort earned them another $50,000 and five more points towards Master of Pwn.

Richard Zhu and Amat Cama demonstrate their Firefox exploit
Richard Zhu and Amat Cama demonstrate their Firefox exploit

The prolific duo returned with perhaps their greatest challenge of the competition. Starting from within a VMware Workstation client, they opened Microsoft Edge and browsed to their specially crafted web page. That’s all it took to go from a browser in a virtual machine client to executing code on the underlying hypervisor. They started with a type confusion bug in the Microsoft Edge browser, then used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation. The masterfully crafted exploit chain earned them $130,000 and 13 Master of Pwn points. They now have a commanding lead with 33 points total. In the two days of the competition, they have racked up a total of $340,000 as a result of their phenomenal work. Tomorrow, they will attempt to cap their week off with a successful demonstration in the automotive category.

Niklas Baumstark targets Mozilla Firefox along with a sandbox escape

The third attempt of the day had Niklas Baumstark (@_niklasb) target the Mozilla Firefox web browser. He used a JIT bug in the browser followed by a logic bug to escape the sandbox. In a real-world scenario, an attacker could use this to run their code on a target system at the level of the logged-on user. The successful demonstration earned him $40,000 and 4 Master of Pwn points.

Arthur Gerkis of Exodus Intelligence demonstrates his Microsoft Edge exploit

The final attempt for Day Two had Arthur Gerkis (@ax330d) of Exodus Intelligence targeting Microsoft Edge. Another newcomer to Pwn2Own, he wasted no time by using a double free bug in the renderer followed by a logic bug to bypass the sandbox. His debut entry earned him $50,000 and five points towards Master of Pwn.

Day #3
The day began not with a bang, but with a whimper as the Team KunnaPwn withdrew their entry from the automotive category. Although they didn’t demonstrate any of their research at this contest, we hope they submit some of their research to our program in the future.

ZDI Analyst Jasiel Spelman prepares to run the demonstration from Richard Zhu

When their scheduled time arrived, the dynamic Fluoroacetate duo of Richard Zhu and Amat Cama thrilled the assembled crowd as they entered the vehicle. After a few minutes of setup, and with many cameras rolling, they successfully demonstrated their research on the Model 3 internet browser. They used a JIT bug in the renderer to display their message and earn $35,000. Of course, this is Pwn2Own so they also get the car.

The Master of Pwn trophy and awarded laptops

And it should come as no surprise that the Fluoroacetate team of Richard Zhu and Amat Cama have been crowned the Master of Pwn for 2019! Their amazing research earned them $375,000 over the contest and resulted in 36 Master of Pwn points. They dominated Pwn2Own Tokyo and have carried that wave through to the spring. We can’t wait to see what’s next for this pair of talented researchers.