Pwn2Own 2021, more than $1,500,000 in cash and prizes for contestants

[mood]

Pwn2Own 2021, more than $1,500,000 in cash and prizes for contestants

Trend Micro’s Zero Day Initiative announced the Pwn2Own Vancouver 2021 hacking competition that will also cover Zoom, MS Teams Exploits.

 

Trend Micro’s Zero Day Initiative (ZDI) on this week announced the forthcoming Pwn2Own Vancouver 2021 hacking competition that will take place on April 6-8.

 

The organizers provided information about the targets, prizes and rules for the competition.

 

Due to the ongoing COVID-19 pandemic, the event this year will be hybrid in the format, participants will submit their exploits remotely and the ZDI staff in Toronto (Canada) and Austin (Texas) will verify their efficiency.

 

People interested in the event can follow it through live streaming on YouTube and Twitch.

 

This year the overall prize pool is greater than $1.5 million in cash.

“As the workforce moves out of the office and goes remote, the tools needed to support that change become greater targets. That’s one reason we added this new category and teamed up with Zoom to have them in the contest. Microsoft Teams will also be a target. A successful demonstration of an exploit in either of these products will earn the contestant $200,000 – quite the payout for a new category.” reads the announcement published by ZDI. “Tesla returns for this year’s contest but driving off with a brand-new Model 3 will be more of a challenge this year. Of course, that means the rewards are greater as well, with the top prize going for $600,000 (plus the car itself).”

 

Other prizes include a Tesla Model 3 that will be assigned to participants that be involved in the hacking of vehicles. The hack of a Tesla could be awarded up to $600,000 to completely take over the vehicle.

The participants could be involved in the demonstration of working exploits for one of the following categories:

— Virtualization Category
— Web Browser Category
— Enterprise Applications Category
— Server Category
— Local Escalation of Privilege Category
— Enterprise Communications Category
— Automotive Category

 

The novelty is represented by the “enterprise communications category,” participants can earn up to $200,000 for demonstrating working exploits against Zoom or Microsoft Teams platforms.

“Our newest category focuses on tools that we have come to rely on as we evolved into a remote workforce. Zoom has become a partner for their inaugural Pwn2Own, and we’re happy to have them on board.” continues the announcement.

“A successful attempt in this category must compromise the target application by communicating with the contestant. Example communication requests could be audio call, video conference, or message,”

 

 

Participants can earn up to $250,000 for demonstrating exploits in Microsoft Hyper-V client under the virtualization category, or up to $150,000 for Chrome and Edge exploits under the web browser category.

 

The maximum prize for exploits under the enterprise application category is $100,000 for Microsoft 365 exploits, while the prize for exploits under the server category is up to $200,000 for Microsoft Exchange and Windows RDP exploits.

 

Other information is available here.

 

At last year’s event, the first edition of Pwn2Own affected by the pandemic, white hat hackers only earned a total of $270,000 for their exploits.

 

 

Source: Pwn2Own 2021, more than $1,500,000 in cash and prizes for contestants

[mood]

White Hats Earn $440,000 for Hacking Microsoft Products on First Day of Pwn2Own 2021

 

On the first day of the Pwn2Own 2021 hacking competition, participants earned more than half a million dollars, including $440,000 for demonstrating exploits against Microsoft products.

 

The competition’s organizer, Trend Micro’s Zero Day Initiative (ZDI), said there were seven attempts on the first day and five of them were successful.

 

A team called Devcore earned $200,000 for taking complete control of a Microsoft Exchange server by chaining authentication bypass and local privilege escalation vulnerabilities.

 

A researcher who uses the online moniker OV was awarded $200,000 for a Microsoft Teams code execution exploit.

 

Another significant reward went to Jack Dates from RET2 Systems, who earned $100,000 for a kernel-level code execution exploit in Apple’s Safari web browser. The exploit leveraged an integer overflow and an out-of-bounds write bug.

 

Also on the first day, Team Viettel earned $40,000 for a local privilege escalation vulnerability in Windows 10, and Ryota Shiga of Flatt Security earned $30,000 for a privilege escalation flaw in Ubuntu Desktop.

 

Participants also attempted to hack the Parallels Desktop and Oracle VirtualBox virtualization products, but they failed to demonstrate their exploits within the allotted time.

 

On the second and third days of Pwn2Own 2021, white hat hackers will attempt to demonstrate exploits against Chrome and Edge, Zoom, Parallels Desktop, Microsoft Exchange, Ubuntu, and Windows 10.

 

There is also an automotive category this year for hacking Tesla cars. Participants have been offered up to $600,000 and a vehicle, but it seems no one has signed up for this category. A team of researchers did earn a Tesla back in 2019 when the automotive hacking category was introduced at Pwn2Own. In 2020, contestants didn’t have the opportunity to hack a Tesla due to the coronavirus pandemic.

 

The prize pool for Pwn2Own 2021 exceeds $1.5 million in cash and other prizes. At last year’s event, participants only earned $270,000 for their exploits.

 

 

Source: White Hats Earn $440,000 for Hacking Microsoft Products on First Day of Pwn2Own 2021

[mood]

Pwn2Own 2021 Participants Earn Over $1.2 Million for Their Exploits

 

The Pwn2Own 2021 hacking competition has come to an end, with participants earning more than $1.2 million — more than ever paid out at the event — for exploits in the browser, virtualization, server, local privilege escalation, and enterprise communications categories.

 

Over the course of three days, participants made 23 attempts, targeting Safari, Chrome, Edge, Windows 10, Ubuntu, Microsoft Teams, Zoom, Parallels, Oracle VirtualBox, and Microsoft Exchange. Oracle VirtualBox was only targeted by one team and their attempt failed. The other products were all hacked by at least one team.

 

 

The highest rewards were paid out to team Devcore for an Exchange server exploit, a researcher named OV for a Microsoft Teams exploit, and Daan Keuper and Thijs Alkemade from Computest for a zero-click Zoom exploit. They each earned $200,000 for their work and each of them earned the same number of points in total, meaning they all shared the first place.

 

Zoom told SecurityWeek that it has already started working on a patch and provided some clarifications regarding exploitation and impacted products.

“We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target’s same organizational account. As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust,” explained a Zoom spokesperson.

 

Significant rewards were also earned by Jack Dates from RET2 Systems ($100,000 for a Safari hack), and Bruno Keith and Niklas Baumstark of Dataflow Security ($100,000 for an exploit that works on both Edge and Chrome).

There were also several successful privilege escalation attempts on Windows 10 and virtual machine escapes on Parallels, each of them earning participants $40,000. Several Ubuntu privilege escalation exploits were rewarded with $30,000 each.

 

According to Trend Micro’s Zero Day Initiative (ZDI), which organizes Pwn2Own, participants took home $1,210,000 of the $1.5 million prize pool, more than in any other previous year. In comparison, in 2020, participants only earned $270,000 for their exploits. In 2019, prizes totaled $545,000.

 

 

Source: Pwn2Own 2021 Participants Earn Over $1.2 Million for Their Exploits

[aum]

Two Dutch white-hat security specialists entered the annual computer hacking contest Pwn2Own, managed to find a Remote Code Execution (RCE) flaw in Zoom and are $200,000 USD better off than they were before.

Pwn2Own

Pwn2Own is a high profile event organized by the Zero Day Initiative that challenges hackers to find serious new vulnerabilities in commonly used software and mobile devices. The event is held to demonstrate that popular software and devices come with flaws and vulnerabilities, and offers a counterweight to the underground trade in vulnerabilities.

 

The “targets” volunteer their software and devices and offer a reward for successful attacks. Fans are treated to a hacking spectacle, successful hackers get kudos and no small amount of cash (in this case the reward was a whopping $200,000 USD), and vendors find nasty bugs that might otherwise be sold to criminals.

 

Pwn2Own 2021 runs from 6 April to 8 April. The full schedule for this year can be found on their site. This year the event has focused on software and devices used when working from home (WFH), including Microsoft Teams and Zoom, for obvious reasons.

The white hats

Keuper and Alkemade, who are employed by cybersecurity company Computest, combined three vulnerabilities to take over a remote system on the second day of the Pwn2wn event. The vulnerabilities require no interaction of the victim. They just need to be on a Zoom call.

The vulnerability

In the light of responsible disclosure, the full details of the method have been kept under wraps. What we do know is that it was Remote Code Execution (RCE) flaw: As a class of software security flaws that allow a malicious actor to execute code of their choosing on a remote machine over a LAN, WAN, or the Internet.

 

We also know that the method works on the Windows and Mac version of the Zoom software, but does not affect the browser version. It is unclear whether the iOS- and Android-apps are vulnerable since Keuper and Alkemade did not look into those.

 

The Pwn2Own organization have tweeted a gif demonstrating the vulnerability in action. You can see the attacker open the calculator on the system running Zoom. Calc.exe is often used as the program that hackers open on a remote system to show that they can run code on the affected machine.

 

 

A Zoom RCE being used to open the Windows calculator

Not patched yet

Understandably, Zoom has not yet had the time to issue a patch for the vulnerability. They have 90 days to do so before details of the flaw are released, but they are expected to do it way before that period is over. The fact that the researchers came out on the second day of the Pwn2Own event with this vulnerability does not mean they figured it out in those two days. They will have put in months of research to find the different flaws and combine them into an RCE attack.

Security done right

This event, and the procedures and protocols that surround it, demonstrate very nicely how white-hat hackers work, and what responsible disclosure means. Keep the details to yourself until protection in the form of a patch is readily available for everyone involved (with the understanding that vendors will do their part and produce a patch quickly).

Mitigation

For now, the two hackers and Zoom are the only ones that know how the vulnerability works. As long as it stays that way there is not much that Zoom users have to worry about. For those that worry anyway, the browser version is said to be safe from this vulnerability. For anyone else, keep your eyses peeled for the patch and update at earliest convenience after it comes out.

Update April 9

Zoom responded to the articles about the Pwn2Own event:

“We thank the Zero Day Initiative for allowing us to sponsor and participate in Pwn2Own Vancouver 2021, an event highlighting the critical and skillful work performed by security researchers. We take security very seriously and greatly appreciate the research from Computest. 

We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target’s same organizational account. 

 

As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center.”

Stay safe, everyone!

 

Source

[Karlston]

Similar topics merged.

 

Editor Tip: Tweets can be added manually by (1) right-clicking on the article tweet's blue bird at top right, (2) choose "Copy Link Location" (Firefox, YMMV) and (3) paste the link where you want the tweet. A few moments later it will appear.

 

Another useful Editor Tip is using CTRL-Z to undo the last Editor operation. Saved me countless times to undo something that didn't quite work the right way. Can be repeated a few times to undo more.

[aum]

Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021

 

 

 

The 2021 spring edition of Pwn2Own hacking contest concluded last week on April 8 with a three-way tie between Team Devcore, OV, and Computest researchers Daan Keuper and Thijs Alkemade.

 

A total of $1.2 million was awarded for 16 high-profile exploits over the course of the three-day virtual event organized by the Zero Day Initiative (ZDI).

 

Targets with successful attempts included Zoom, Apple Safari, Microsoft Exchange, Microsoft Teams, Parallels Desktop, Windows 10, and Ubuntu Desktop operating systems.

 

Some of the major highlights are as follows —

• Using an authentication bypass and a local privilege escalation to completely take over a Microsoft Exchange server, for which the Devcore team netted $200,000
• Chaining a pair of bugs to achieve code execution in Microsoft Teams, earning researcher OV $200,000
• A zero-click exploit targeting Zoom that employed a three-bug chain to exploit the messenger app and gain code execution on the target system. ($200,000)
• The exploitation of an integer overflow flaw in Safari and an out-of-bounds write to get kernel-level code execution ($100,000)
• An exploit aimed at the Chrome renderer to hack Google Chrome and Microsoft Edge (Chromium) browsers ($100,000)
• Leveraging use-after-free, race condition, and integer overflow bugs in Windows 10 to escalate from a regular user to SYSTEM privileges ($40,000 each)
• Combining three flaws — an uninitialized memory leak, a stack overflow, and an integer overflow — to escape Parallels Desktop and execute code on the underlying operating system ($40,000)
• Exploiting a memory corruption bug to successfully execute code on the host operating system from within Parallels Desktop ($40,000)
• The exploitation of out-of-bounds access bug to elevate from a standard user to root on Ubuntu Desktop ($30,000)

The Zoom vulnerabilities exploited by Daan Keuper and Thijs Alkemade of Computest Security are particularly noteworthy because the flaws require no interaction of the victim other than being a participant on a Zoom call. What's more, it affects both Windows and Mac versions of the app, although it's not clear if Android and iOS versions are vulnerable as well.

 

Technical details of the flaws remain unclear as yet, but in a statement sharing the findings, the Dutch security firm said the researchers "were then able to almost completely take over the system and perform actions such as turning on the camera, turning on the microphone, reading emails, checking the screen and downloading the browser history."

 

When reached for a response, Zoom said it's pushed a server-side change to patch the bugs, noting that it's working on incorporating extra protections to resolve the security shortcomings. The company has a 90-day window to address the issues before they are made public.

 

"On April 9, we released a server-side update that defends against the attack demonstrated at Pwn2Own on Zoom Chat," a spokesperson for the company told The Hacker News. "This update does not require any action by our users. We are continuing to work on additional mitigations to fully address the underlying issues."

 

The company also said it's not aware of any evidence of active exploitation by these issues, while pointing out the flaws don't impact in-session chat in Zoom Meetings, and that the "attack can only be executed by an external contact that the target has previously been accepted or be a part of the target’s same organizational account."

 

Independent researcher Alisa Esage also made history as the first woman to win Pwn2Own after finding a bug in virtualization software Parallels. But she was only awarded a partial win for reasons that the issue had been reported to ZDI prior to the event.

 

"I can only accept it as a fact that my successful Pwn2Own participation attracted scrutiny to certain arguable and potentially outdated points in the contest rules," Esage tweeted, adding, "In the real world there is no such thing as an 'arguable point'. An exploit either breaks the target system or not."

 

Source