At Pwn2Own annual hacking competition where hackers demonstrated new zero-day bugs and awarded by Trend Micro’s Zero Day Initiative (ZDI).
The first day of contest started with the team Fluoroacetate (Amat Cama and Richard Zhu) exploiting Apple Safari browser. They were successfully able to exploit the browser and escaped the sandbox by using integer overflow in safari and heap overflow to escape the sandbox. They used a brute force technique during sandbox escape which took the entire allocated time the code would fail then try again until it succeeded. This earned them $55,000 USD and 5 points.
The Fluoroacetate duo returned targeting Oracle VirtualBox. Although their first attempt failed, the second attempt successfully aligned which earned them $35,000 USD and 3 more points.
In their final entry for the first day, The Fluoroacetate also targeted VMware Workstation which got them $70,000 USD and 7 additional points. This result for the total of $160,000 and 15 points.
anhdaden from STAR Labs also targeted Oracle VirtualBox. His first foray into Pwn2own netted him $35,000 USD and 3 points.
The final team phoenhex & qwerty (@_niklasb @qwertyoruiopz and @bkth_) exploited Apple Safari with kernel elevation. Browsing to their website, they triggered a JIT Bug followed by a heap out of bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug. Unfortunately, it was only a partial win since Apple already know of one of the bugs used in the demo. Still, they earned themselves $45,000 USD and 4 points towards Master of Pwn.
The second day began with Fluoroacetate duo of Amat Cama and Richard Zhu exploiting Mozilla Firefox web browser. They leveraged a JIT bug in the browser, then used an out-of-bounds write in the Windows kernel to effectively take over the system. They were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website. The effort earned them another $50,000 and five more points towards Master of Pwn.
The prolific duo returned with perhaps their greatest challenge of the competition. Starting from within a VMware Workstation client, they opened Microsoft Edge and browsed to their specially crafted web page. That’s all it took to go from a browser in a virtual machine client to executing code on the underlying hypervisor. They started with a type confusion bug in the Microsoft Edge browser, then used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation. The masterfully crafted exploit chain earned them $130,000 and 13 Master of Pwn points. They now have a commanding lead with 33 points total. In the two days of the competition, they have racked up a total of $340,000 as a result of their phenomenal work. Tomorrow, they will attempt to cap their week off with a successful demonstration in the automotive category.
The third attempt of the day had Niklas Baumstark (@_niklasb) target the Mozilla Firefox web browser. He used a JIT bug in the browser followed by a logic bug to escape the sandbox. In a real-world scenario, an attacker could use this to run their code on a target system at the level of the logged-on user. The successful demonstration earned him $40,000 and 4 Master of Pwn points.
The final attempt for Day Two had Arthur Gerkis (@ax330d) of Exodus Intelligence targeting Microsoft Edge. Another newcomer to Pwn2Own, he wasted no time by using a double free bug in the renderer followed by a logic bug to bypass the sandbox. His debut entry earned him $50,000 and five points towards Master of Pwn.
The day began not with a bang, but with a whimper as the Team KunnaPwn withdrew their entry from the automotive category. Although they didn’t demonstrate any of their research at this contest, we hope they submit some of their research to our program in the future.
When their scheduled time arrived, the dynamic Fluoroacetate duo of Richard Zhu and Amat Cama thrilled the assembled crowd as they entered the vehicle. After a few minutes of setup, and with many cameras rolling, they successfully demonstrated their research on the Model 3 internet browser. They used a JIT bug in the renderer to display their message and earn $35,000. Of course, this is Pwn2Own so they also get the car.
And it should come as no surprise that the Fluoroacetate team of Richard Zhu and Amat Cama have been crowned the Master of Pwn for 2019! Their amazing research earned them $375,000 over the contest and resulted in 36 Master of Pwn points. They dominated Pwn2Own Tokyo and have carried that wave through to the spring. We can’t wait to see what’s next for this pair of talented researchers.