The Results – Pwn2Own 2017 Day Two
Credit to Author: Dustin Childs (Zero Day Initiative Communications)| Date: Fri, 17 Mar 2017 08:42:52 +0000
The second day of competition in this year’s Pwn2Own closed out with a record 17 entries for a single day. In fact, due to the significant number of contestants registered for the 10th anniversary edition of Pwn2Own, we divided the second day into two different tracks: Track A focus on Adobe and Microsoft products while Track B looked at Mozilla and Apple products.
Today saw 11 successful attempts, one failure, three entries withdrawn, and two entries disqualified. Altogether, the contestants earned $340,000 and 97 Master of Pwn points today by demonstrating some amazing and unique research.
TRACK A RESULTS
The 360 Security (@mj0011sec) team started the day out by successfully exploiting Adobe Flash by using a use-after-free (UAF) bug, two Windows kernel info leaks, and an uninitialized Windows kernel buffer to elevate through Flash to SYSTEM-level access. They were unable to complete the VMware escape bonus portion, but what they were able to demonstrate still counts as a win and netted them $40,000 and 12 Master of Pwn points.
Next up in this track, Tencent Security – Team Sniper (Keen Lab and PC Mgr) successfully exploited Adobe Flash through a UAF and then escalated to SYSTEM via a UAF in the Windows kernel. This earned them $40,000 and 12 points for Master of Pwn.
Tencent Security – Team Lance was the next Track A entry. They successfully exploited Microsoft Edge by using a UAF in Chakra then elevated their privilege to SYSTEM by using a UAF in Windows kernel. This garnered them $55,000 and 14 Master of Pwn points.
The entry from Tencent Security – Sword Team targeting Microsoft Edged ended up being disqualified for not using true 0-days. The bugs used by the team were actually reported earlier in the contest by a separate team and were thus known by the vendor.
Despite their earlier success, Tencent Security – Team Lance withdrew their entry targeting Microsoft Windows from the competition. Interestingly, Tencent Security – Team Shield (Keen Lab and PC Mgr) followed this by withdrawing their own entry targeting Microsoft Edge with a SYSTEM-level escalation.
Undaunted by any previous events, Tencent Security – Team Sniper (Keen Lab and PC Mgr) completed their exploit of Microsoft Edge with a UAF in Chakra and escalated to SYSTEM-level privileges through a UAF in the Windows kernel. This round won them $55,000 and 14 points towards Master of Pwn.
Up next, the folks from 360 Security (@mj0011sec) successfully exploited Microsoft Windows with an out-of-bounds (OOB) bug in the Windows kernel. This netted them $15,000 and 4 Master of Pwn points.
In the last entry from Track A and the final attempt of Day Two, Tencent Security – Team Sniper (Keen Lab and PC Mgr) elevated privileges in Microsoft Windows through an integer overflow in the kernel. This final act of Day Two earned them $15,000 and 4 points for Master of Pwn.
TRACK B RESULTS
The day in Track B started with Tencent Security – Team Shield deciding to withdraw their attempt to exploit Apple macOS.
Conversely, the team from 360 Security (@mj0011sec) didn’t waste any time by demonstrating a successful elevation of privilege on Apple macOS. They used an info leak and race condition in the kernel. In doing so, they garnered $10,000 and 3 more points for Master of Pwn.
Not waiting around, the 360 Security (@mj0011sec) came right back to successfully exploit Apple Safari through an integer overflow and then escalated to root using a macOS kernel UAF. This earned them another $35,000 and 11 more Master of Pwn points.
Following them, the Chaitin Security Research Lab (@ChaitinTech) succeeded by performing an elevation of privilege in macOS through an info leak and OOB bug in the macOS kernel. In doing so, they netted $10,000 and 3 more Master of Pwn points.
The next entry in Track B ended in disqualification as the Tencent Security – Sword Team targeted Apple macOS with bugs already reported and known to vendor.
Moritz Jodeit from Blue Frost Security (@moritzj) followed by targeting Mozilla Firefox. Unfortunately, he could not get his exploit chain working within the allotted timeframe, resulting in a failure.
Wrapping up their successful first appearance in a Pwn2Own, the Chaitin Security Research Lab (@ChaitinTech) successfully exploited Mozilla Firefox with an integer overflow and escalated privileges through an uninitialized buffer in the Windows kernel. This earned them $30,000 and 9 Master of Pwn points in this round and increased their total to $90,000 and 26 Master of Pwn points for the contest. They certainly made an impression in their first Pwn2Own competition. We hope to see them again in the future.
Chaitin Security Research Labs running notepad.exe as SYSTEM
In the final entry in Track B, Tencent Security – Team Sniper (Keen Lab and PC Mgr) exploited Apple Safari through an integer overflow and escalated to root via an OOB UAF in WindowServer. This netted them $35,000 and 11 points for Master of Pwn.
This brings an end to another fascinating day of Pwn2Own 2017. The contest wraps up tomorrow with three final entries – including two impacting VMware. The race for Master of Pwn remains tight, with two teams still in the running. Be sure to return here for all the latest results from this 10th anniversary edition of Pwn2Own and see who earns the title of Master of Pwn.