Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

Google is offering a $20,000 cash prize for any hacker who can successfully compromise a Windows 7 machine via a vulnerability -- and sandbox escape -- in its Chrome web browser.

The prize is part of this year's CanSecWest Pwn2Own contest, which will pit some of the world's best security researchers and exploit writers against popular web browsers and mobile devices.   During last year's contest, Google Chrome was the only browser left standing but with the enhanced cash prize -- and publicity that goes along with a successful Chrome netbook hack -- there is a strong likelihood that someone will take aim at Chrome this year.

According to TippingPoint ZDI, the contest sponsor, a successful Chrome hack "must include a sandbox escape," which means that a privilege escalation vulnerability may have to be combined with another security hole to cause full system compromise.

[ Pwn2Own 2010: iPhone hacked, SMS database hijacked ]

Kernel bugs and plugins other than the built-in PDF support are all out of scope for Chrome, TippingPoint ZDI said.

As is customary, the CanSecWest conference organizers are offering cash prizes for researchers who use zero-day (unpublished) browser flaws to remotely launch code against a 64-bit Windows 7 or Mac OS X machines.

This year the web browser targets will be the latest release candidate (at the time of the contest) of the following products:

• Microsoft Internet Explorer
• Apple Safari
• Mozilla Firefox
• Google Chrome

TippingPoint ZDI says Each browser will be installed on a 64-bit system running the latest version of either OS X or Windows 7.

[ Hacker exploits IE8 on Windows 7 to win Pwn2Own ]

On the mobile device side, the 2011 Pwn2Own contest organizers have increased the attack surface to allow attacks against the cell phone basebands.

The targets this year are:

• Dell Venue Pro running Windows 7
• iPhone 4 running iOS
• Blackberry Torch 9800 running Blackberry 6 OS
• Nexus S running Android

TippingPoint ZDI says a successful attack against these devices must require little to no user interaction and must compromise useful data from the phone. Any attack that can incur cost upon the owner of the device (such as silently calling long-distance numbers, eavesdropping on conversations, and so forth) is within scope.

UPDATE:

In response to some criticisms from security researchers on Twitter, the conference organizers have modified the Google Chrome portion of the contest to offer different prizes for security holes in Google-written code and other non-Google code.

Here's the change:

On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.