The final day of Pwn2Own Vancouver 2019 has come to a close, with participants from all around the world to take down various software and operating systems, and Tesla to be listed to the "victims" in the new automotive category.
The event, sponsored by Microsoft, VMware, and Tesla, lasted three days. Overall, a total of $545,000 was awarded for 19 unique bugs in Apple Safari, Microsoft Edge and Windows, VMware Workstation, Mozilla Firefox, and – in its inaugural year – the Tesla infotainment system.
The end of day one saw 4 successful attempts and one partial win, with contestants earning $240,000 USD in cash awards – plus the laptops used to demonstrate their research.
The contest started with the team of Fluoroacetate (Amat Cama and Richard Zhu) targeting the Apple Safari web browser. They successfully exploited the browser and escaped the sandbox by using an integer overflow in the browser and a heap overflow to escape the sandbox. The attempt nearly took the entire allowed time because they used a brute force technique during the sandbox escape. The code would fail then try again until it succeeded. The demonstration earned them $55,000 USD and 5 points towards Master of Pwn.
The Fluoroacetate duo returned targeting Oracle VirtualBox in the virtualization category. Although their first attempt failed, the second attempt successfully used an integer underflow and a race condition to escalate from the virtual client to pop calc at medium integrity. It wasn’t the race condition that caused their failed first attempt. Their memory leak was working, but their code execution failed. Everything aligned on the second attempt, which earned them $35,000 USD and 3 more Master of Pwn points.
Next up, Pwn2Own newcomer anhdaden of STAR Labs also targeted Oracle VirtualBox. He also used an integer underflow to escalate from the virtual client to execute his code on the hypervisor at medium integrity. Interestingly, he used a unique integer underflow different than the previously demonstrated underflow. His first foray into Pwn2own netted him $35,000 USD and 3 Master of Pwn points.
In their final entry for Day One, the Fluoroacetate duo targeted the VMware Workstation. They leveraged a race condition leading to an Out-Of-Bounds write to go from the virtual client to executing code on the underlying host operating system. They earned $70,000 USD and 7 additional Master of Pwn points. This brings their Day One total to $160,000 and 15 Master of Pwn points.
The final entry in Day One saw the phoenhex & qwerty team (@_niklasb @qwertyoruiopz and @bkth_) targeting Apple Safari with a kernel elevation. They demonstrated a complete system compromise. By browsing to their website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug. It was only a partial win since Apple already know of one of the bugs used in the demo. Still, they earned themselves $45,000 USD and 4 points towards Master of Pwn.
For Day Two, $270,000 was awarded for a total of nine unique vulnerabilities.
Fluoroacetate duo of Amat Cama and Richard Zhu targeted the Mozilla Firefox web browser. They leveraged a JIT bug in the browser, then used an out-of-bounds write in the Windows kernel to effectively take over the system. They were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website. The effort earned them another $50,000 and five more points towards Master of Pwn.
The prolific duo returned with perhaps their greatest challenge of the competition. Starting from within a VMware Workstation client, they opened Microsoft Edge and browsed to their specially crafted web page. That’s all it took to go from a browser in a virtual machine client to executing code on the underlying hypervisor. They started with a type confusion bug in the Microsoft Edge browser, then used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation. The crafted exploit chain earned them $130,000 and 13 Master of Pwn points.
The third attempt of the day had Niklas Baumstark (@_niklasb) target the Mozilla Firefox web browser. He used a JIT bug in the browser followed by a logic bug to escape the sandbox. In a real-world scenario, an attacker could use this to run their code on a target system at the level of the logged-on user. The successful demonstration earned him $40,000 and 4 Master of Pwn points.
The final attempt for Day Two had Arthur Gerkis (@ax330d) of Exodus Intelligence targeting Microsoft Edge. Another newcomer to Pwn2Own, he wasted no time by using a double free bug in the renderer followed by a logic bug to bypass the sandbox. His debut entry earned him $50,000 and five points towards Master of Pwn.
Last but not least, Tesla became the ultimate target of the prolific Fluoroacetate duo. They hacked a Tesla Model 3 by exploiting a JIT bug, and used its web browser to display their message. They earned $35,000 in prize money as well as that Tesla Model 3.
Regarding the exploits and bugs showcased at the event, all the details will be provided to the onsite companies to help them release their patches.