The annual hacking event Pwn2Own was held for the first time remotely and several hackers from all over the world participated and demonstrated their capabilities.
On the first day of the contest, hackers won $180,000 for 9 bugs across three categories. Zero Day Initiative (ZDI) researchers verified their attempts, which were successful. Here’s a quick recap video of the day’s proceedings:
The day began with Pwn2Own newcomers – a team from Georgia Tech Systems Software & Security Lab (@SSLab_Gatech) consisting of Yong Hwi Jin, Jungwon Lim, and Insu Yun. They were targeting Apple Safari with a macOS kernel escalation of privilege. They chained together six unique bugs starting with a JIT vulnerability and ending with TOCTOU/race condition to escape the sandbox and pop a root shell. They also disabled System Integrity Protection (SIP) on the device to demonstrate that they achieved kernel-level code execution. Their smooth demonstration earned them $70,000 and 7 points towards Master of Pwn.
Next up, Pwn2Own veteran Flourescence set his sights on Microsoft Windows 10. His use-after-free (UAF) bug in Windows allowed him to escalate permissions to SYSTEM. He earned $40,000 and 4 Master of Pwn points in the process.
The third attempt of the day saw another Pwn2Own rookie take the field. Manfred Paul of the RedRocket CTF team chose to target the Ubuntu Desktop with a local privilege escalation (LPE) exploit. He leveraged an improper input validation bug in the kernel to go from a standard user to root. His first foray into the world of Pwn2Own earned him $30,000 and 3 points towards Master of Pwn.
The first day of Pwn2Own 2020 ended with the returning Fluoroacetate duo of Amat Cama and Richard Zhu ready to defend their Master of Pwn crown. They leveraged a UAF in Windows to escalate from a regular user to SYSTEM. This was a different UAF than the one used earlier in the day. This final entry of Day One earned them $40,000 and 4 points towards Master of Pwn.
In day two of the contest, Phi Phạm Hồng (@4nhdaden) of STAR Labs (@starlabs_sg) targeted Oracle VirtualBox in the Virtualization category. 4nhdaden using an OOB Read for an info leak and an unitialized variable for code execution on the hypervisor. He earned himself $40,000 and 4 Master of Pwn points.
The Fluoroacetate team of Amat Cama and Richard Zhu targeted Adobe Reader with a Windows local privilege escalation. The duo used a pair of UAFs - one in Acrobat and one in the Windows kernel - to elevate privilieges and to over the system. They earned $50,000 and 5 points towards Master of Pwn.
The Synacktiv team of Corentin Bayet (@OnlyTheDuck) and Bruno Pujos (@BrunoPujos) targeted the VMware Workstation in the Virtualization category. However, the team was unable to demonstrate their exploit in the time allotted.
A Special successful demonstration from Lucas Leong (@_wmliang_) of the Zero Day Initiative was against Oracle VirtualBox.