Pwn2Own is a hacking contest held annually at the CanSecWest security conference, beginning in 2007. Participants face the challenge of exploiting software and mobile devices widely used with hitherto unknown vulnerabilities.
Contest winners receive the device they exploited, a cash prize, and a “MastersCelebrating the year of his victory. The name "Pwn2Own" is derived from the fact that participants must "pwn" or hack the device in order to "own" or win it.
the contest Pwn2Own is used to demonstrate the vulnerability of widely used devices and software and it also provides a checkpoint on the progress made in security since the previous year.
About Pwn2Own 2020
In this new edition of Pwn2Own 2020, in this year competitions were held virtually and attacks were shown online, due to the problems that have been generated by the spread of the Cornonavirus (Covid-19), being this the first time your organizer Zero Day Initiative (ZDI), have decided to organize the event allowing participants to demonstrate remotely his exploits.
During the competition various work techniques were presented to exploit vulnerabilities previously unknown in Ubuntu Desktop (Linux kernel), Windows, macOS, Safari, VirtualBox and Adobe Reader.
The total amount of the payments amounted to 270 thousand dollars (The total prize pool was over US $ 4 million).
In summary, the results of two days of the competition Pwn2Own 2020 held annually at the CanSecWest conference are as follows:
-
- During the first day of Pwn2Own 2020, a team from the Georgia Software and Security Lab TechSystems (@SSLab_Gatech) Safari hack with macOS kernel level privilege escalation and start the calculator with root privileges. The chain of attack involved six vulnerabilities and allowed the team to earn $ 70,000.
- During the event Manfred Paul from "RedRocket" was in charge of demonstrating the escalation of local privileges in Ubuntu Desktop through the exploitation of a vulnerability in the Linux kernel associated with incorrect verification of input values. This led to him winning a prize of $ 30.
- Also the demonstration was made of leaving a guest environment in VirtualBox and executing code with the rights of a hypervisorBy exploiting two vulnerabilities: the ability to read data from an area outside the allocated buffer and an error when working with uninitialized variables, the prize for proving this flaw was $ 40. Outside of the competition, representatives from the Zero Day Initiative also demonstrated another VirtualBox trick, which allows access to the host system through manipulations in the guest environment.
- Two demonstrations of local privilege escalation in Windows by exploiting vulnerabilities that lead to access to a memory area already freed, with this two prizes of 40 thousand dollars each were awarded.
- Get administrator access in Windows when opening a PDF document specially designed in Adobe Reader. The attack involves vulnerabilities in Acrobat and in the Windows kernel related to access to memory areas already freed ($ 50 prize).
The remaining unclaimed nominations were referred for hacking Chrome, Firefox, Edge, Microsoft Hyper-V Client, Microsoft Office, and Microsoft Windows RDP.
There was also an attempt to hack VMware Workstation, but the attempt was unsuccessful. As in last year, the hacking of most of the open projects (nginx, OpenSSL, Apache httpd) did not enter the award categories.
Separately, we can look at the issue of hacking Tesla car information systems.
There were no attempts to hack Tesla in the competition.a, despite the maximum premium of $ 700 thousand, but there was separate information about DoS vulnerability detection (CVE-2020-10558) in Tesla Model 3, which allows to disable a specially designed page in the built-in browser autopilot notifications and interrupt the operation of components such as speedometer, navigator, air conditioning, navigation system, etc.
Source: https://www.thezdi.com/