Covid-19 has brought the world to grinding halt, but for the hacking competition Pwn2Own, that wasn’t the case. The event, planned for CanSecWest this week in Vancouver, went virtual along with the conference itself. Faced with travel restrictions and new social-distancing guidelines, contestants virtually assembled via the teleconferencing platform Zoom from Africa, Singapore and across the Americas.
“We were monitoring the situation. And if we weren’t going to converge in Vancouver, our first priority was remote participation,” said Dustin Childs, communications manager for Zero Day Initiative (ZDI), the event organizer. “We had to come up quickly with how to get everyone together in the right ways in the right rooms with the right access. It was tough, but we managed to do it.”
Over the course of two days, hacking teams ranging from Flourescence, RedRocket CTF and Synacktiv attempted to hack Adobe’s Acrobat Reader and Apple’s macOS and virtualization platforms such as Oracle VirtualBox. They competed for close to $300,000 in prizes – and for one talented hacking group, the bragging rights of Master of Pwn 2020.
Tuning into the competition via Zoom, judges and technical teams coordinated with white-hat hackers who in real time mostly were successful in compromising targeted devices and software.
During one hacking attempt, the Fluoroacetate team of Amat Cama and Richard Zhu, targeted Adobe Reader and then Windows with a local privilege escalation attack. Blink an eye and you might have missed the hack – in under five seconds and one mouse click, on their first attempt, team Fluoroacetate compromised Adobe Reader to attack and take control of the underlying operating system, Windows 10.
More specifically, the team used two separate use-after-free bugs, one in Adobe and one in the Windows kernel.
“The only thing they did was open a PDF. So, that’s something we all do every day. And, from that, they were able to escape the sandbox in Adobe Reader and escalate through the Windows’ kernel – taking over the entire machine just by opening a PDF,” Childs said.
For the one-click hack, team Fluoroacetate earned $50,000.
Tensions were high on Wednesday when a team from Georgia Tech Systems Software and Security Lab pulled off a high-wire hack chaining six different vulnerabilities to successfully exploit Apple’s Safari browser and execute code (launch the calculator app) on a computer running macOS.
Things didn’t go so well for The Synacktiv team of Corentin Bayet (@OnlyTheDuck) and Bruno Pujos (@BrunoPujos) who targeted a VMware Workstation in the Virtualization category. Over the course of three attempts, three big sighs of disappointment punctuated the failed attacks. The hack was successful eventually, however not within the contest’s rules of three tries within timed sessions.
Visualized applications didn’t fare as well against Phi Phạm Hồng (@4nhdaden) of STAR Labs who savaged Oracle’s VirtualBox on his third try. Using a combo out-of-band read vulnerability, info leak bug and an un-initialized variable hack, Hồng successfully executed code on the VirtualBox hypervisor.
For their efforts Hồng’s STAR Labs earned $40,000.
The title Master of Pwn was awarded to team Fluoroacetate for its stellar hacks during the event. With the title also comes $25,000, the classic Pwn2Own jerseys and of course the Master of Pwn trophy.
“It ended up being a great contest under very stressful trying circumstances,” Childs said. “But it was great that the vendors came together with the contestants and our team pulled it off. It was a great thing that we were able to still put it on.”
For complete Pwn2Own 2020 results ZDI has posted them here.