$1m payout barrier broken by attacks also targeting Microsoft Exchange, Windows 10

Pwn2Own 2021: Zero-click Zoom exploit among winners as bug payout record smashed

The flagship Pwn2Own live hacking event has broken new ground on two fronts after total payouts surpassed $1 million and the competition’s first-ever solo female contestant notched a victory.

Some 23 participating teams and lone security researchers collectively earned a record $1,210,000 from a total prize pool of $1,500,000 over the three-day event, which is organized by Trend Micro’s Zero Day Initiative (ZDI).

The contest concluded yesterday with a three-way tie for the coveted Master of Pwn crown, with Team DEVCORE, security researcher ‘OV’, and Daan Keuper and Thijs Alkemade from Dutch infosec firm Computest sharing top spot on the leaderboard with 20 Master of Pwn points apiece.

Pwn2Own’s 14th annual edition also featured a new category, with enterprise communications joining web browser, virtualization, server, and local escalation of privilege categories split between 10 targets.

First-time female triumph

The competition’s first-ever solo female contestant, Alisa Esage Shevchenko, leveraged ASCII art in a guest-to-host escape on Parallels Desktop, which netted her two Master of Pwn points for, owing to pre-competition disclosure, a ‘partial’ victory.

Taking to Twitter afterwards, the researcher declared herself “super hyped” at fulfilling “a major goal personally” after the “zero day Hypervisor VM Escape exploit on Mac, one of the first in the world, I think”.

Exchange takeover

The event’s second consecutive virtual edition (the event is ordinarily an in-person affair held in Vancouver, Canada) kicked off with eight successful entries.

Most notably, eventual Masters of Pwn ‘OV’ and DEVCORE both earned $200,000 prizes – the former for a two-bug chain in Microsoft Teams leading to code execution, the latter for an authentication bypass and local privilege escalation to seize control of the Microsoft Exchange server.

Fellow overall winners Daan Keuper and Thijs Alkemade also then earned the same amount the following day after deploying a three-bug chain to achieve zero-click code execution on Zoom Messenger.

Read more of the latest security vulnerability news

Also among 11 successful entries on day two was a type mismatch bug leveraged by Bruno Keith and Niklas Baumstark of Dataflow Security to exploit the renderer in Google Chrome and Chromium-based Microsoft Edge, earning the pair $100,000.

The third and final day saw Benjamin McBride of L3Harris Trenchant, ‘Da Lao’, and Marcin Wiazowski earn $40,000 and four Master of Pwn points apiece for, respectively, a memory corruption bug leading to code execution on Parallels Desktop’ host OS, an OOB Write to achieve a guest-to-host escape in Parallels, and a use-after-free bug to escalate to SYSTEM on Windows 10.

‘Hard to choose’

Asked for his favorite exploit, Brian Gorenc, senior director of vulnerability research and head of ZDI at Trend Micro, told The Daily Swig: “It’s hard to choose between the Microsoft Exchange exploit and the 0-day Zoom demonstration. Both show amazing research and impact targets with millions of users.”

The event was streamed live on YouTube, Twitch, and the conference site, while the ZDI blog features a blow-by-blow account of how the exploit attempts unfolded.

Participating vendors now have 90 days to produce fixes for reported vulnerabilities before public disclosure.

Pwn2Own Vancouver 2020, which was hastily migrated to a virtual format last year with the Covid-19 pandemic in its early stages, was won by returning champions Richard Zhu and Amat Cama of Team Fluoroacetate after taking control of Adobe Reader and the Windows kernel via a pair of use-after-free bugs.

Amid the global vaccine rollout, Gorenc said it was unclear when a return to an in-person contest might be possible, “but our goal is to take the best of what we’re doing in the virtual format (remote participation, live streaming, real-time interviews, etc.) and combine it with a physical contest for a hybrid event”.

YOU MIGHT ALSO LIKE BleedingTooth: Google drops full details of zero-click Linux Bluetooth bug chain leading to RCE