Recently the results of the three days of the competition Pwn2Own 2021, held annually as part of the CanSecWest conference.
As in the previous year, the contests were held virtually and the attacks were demonstrated online. Of the 23 targets, operational techniques to exploit previously unknown vulnerabilities have been demonstrated for Ubuntu, Windows 10, Chrome, Safari, Parallels Desktop, Microsoft Exchange, Microsoft Teams, and Zoom.
In all cases, the latest software versions were tested, including all available updates. The total amount of the payments was one million two hundred thousand US dollars.
In the competition, three attempts were made to exploit vulnerabilities in Ubuntu of which the first and second attempts were counted and the attackers were able to demonstrate the escalation of local privileges through the exploitation of previously unknown vulnerabilities related to buffer overflows and double memory freeing (in which the components of the problem have not yet been reported and developers are given 90 days to correct bugs until the data is disclosed ).
Of these vulnerabilities that were demonstrated for Ubuntu, bonuses of $ 30,000 were paid.
The third attempt, made by another team in the category of abuse of local privileges, it was only partially successful: the exploit worked and allowed to get root access, but the attack was not fully credited, as the bug associated with the vulnerability was already cataloged and it was known to Ubuntu developers and an update with a fix was being prepared.
Also a successful attack has been demonstrated for browsers with Chromium technology: Google Chrome and Microsoft Edge, of these a bonus of $ 100,000 was paid for creating an exploit that allows code to be executed when you open a specially designed page in Chrome and Edge (a universal exploit was created for both browsers).
In the case of this vulnerability, it is mentioned that the correction is expected to be published in the next few hours, while it is only known that the vulnerability is present in the process that is responsible for processing the web content (renderer).
On the other hand, 200 thousand dollars were paid in Zoom and it was shown that the Zoom app can be hacked by executing some code sending a message to another user, no need for any action by the recipient. The attack used three vulnerabilities in Zoom and one in the Windows operating system.
A bonus of $ 40,000 was also given for three successful Windows 10 operations in which vulnerabilities related to integer overflow, access to memory already freed, and race conditions that allowed obtaining SYSTEM privileges were demonstrated).
Another attempt which was shown, but in this case was unsuccessful was for VirtualBox, which remained within the rewards along with Firefox, VMware ESXi, Hyper-V client, MS Office 365, MS SharePoint, MS RDP and Adobe Reader that remained unclaimed.
There were also no people willing to demonstrate the hack of the Tesla car information system, despite the $ 600,000 prize plus the Tesla Model 3 car.
Of the other awards that were awarded:
- $ 200,000 to decrypt Microsoft Exchange (bypassing authentication and local privilege escalation on the server to gain administrator rights). Another team was shown another successful exploit, but the second prize was not paid as the first team already used the same bugs.
- 200 thousand dollars in hacking Microsoft equipment (code execution on the server).
- $ 100,000 for Apple Safari operation (integer overflow in Safari and buffer overflow in macOS kernel to avoid sandboxing and execute kernel-level code).
- 140,000 for hacking Parallels Desktop (logging out of the virtual machine and running the code on the main system). The attack was carried out by exploiting three different vulnerabilities: uninitialized memory leak, stack overflow, and integer overflow.
- Two $ 40,000 prizes for Parallels Desktop hacks (logic error and buffer overflow that allowed code to run on an external operating system through actions within a virtual machine).