The latest edition of the 2021 Pwn2Own hacking contest came to end last week and witnessed some very remarkable exploits including Zoom, Microsoft, Ubuntu, and various other platforms.
The Pwn2Own Hacking contest:
To the unaware, Pwn2Own is a hacking contest held at the CanSecWest security conference every year.
Initiated in 2007, the contest is now held year twice a year where participants are challenged to exploit the most extensive and popular software and mobile devices with previously unknown vulnerabilities.
The Pwn2Own contest held this year was a virtual three-day tournament and it was reported that a sum total of over $1.2 million was granted as prize money for 16 high-ranking exploits.
Pwn2Own exploits and earnings:
Some of the most widely used platforms that were held at target and found with successful exploit attempts were Zoom, Microsoft Teams, Microsoft Exchange, Microsoft Edge, Windows 10, Apple Safari, Google Chrome, Parallels Desktop, and Ubuntu Desktop operating systems.
The below listings discuss the various platforms and the details of the exploits that were awarded for-
- Zoom – A zero-click exploit targeting Zoom that employed a three-bug chain to exploit the messenger app and gain code execution on the target system. This exploit was granted $200,000 each.
- Microsoft Teams– Chaining a pair of bugs to achieve code execution in Teams. This exploit earned researcher OV $200,000
- Microsoft Exchange– Using an authentication bypass and a local privilege escalation to completely take over a Microsoft Exchange server. The Devcore team earned $200,000 in this exploit.
- Windows 10– Leveraging use-after-free, race condition, and integer overflow bugs in Windows 10 to escalate from a regular user to SYSTEM privileges. The exploit was granted $40,000 each.
- Apple Safari-The exploitation of an integer overflow flaw in Safari and an out-of-bounds write to get kernel-level code execution. This exploit was granted $100,000.
- Google Chrome and Microsoft Edge- An exploit aimed at the Chrome renderer to hack Google Chrome and Microsoft Edge (Chromium) browsers. The exploit was granted $100,000.
- Parallels Desktop-Combining three flaws — an uninitialized memory leak, a stack overflow, and an integer overflow — to escape Parallels Desktop and execute code on the underlying operating system. This exploit was granted $40,000 each.
- Parallels Desktop- Exploiting a memory corruption bug to successfully execute code on the host operating system from within Parallels Desktop. The exploit was granted $40,000 each.
- Ubuntu Desktop-The exploitation of out-of-bounds access bug to elevate from a standard user to root on Ubuntu Desktop. The exploit was granted $30,000 each.