More bugs, more bucks: Pwn2Own and Pwnium 2014

More bugs, more bucks: Pwn2Own and Pwnium 2014

Summary: HP Zero Day Initiative's annual Pwn2Own and Google's Pwnium security competitions' prize pool is now up to more than $3 million in cash and prizes.

SHARE:

So, you think you're a real hacker's hacker do you? Well HP and Google want you to put your cracker skills to the test at Pwn2Own 2014 and Google's Pwnium 4. Both competitions will be held at the CanSecWest applied digital security conference in Vancouver Canada from March 12 to 14th.

digitalpadlock
Let the hacking begin at HP's Pwn2Own and Google's Pwnium annual cracking competitions.

Pwn2Own, as always, will be focusing mostly on Web browser attacks. Brian Gorenc, HP Security Research Manager for Vulnerability Research, wrote, "The 2014 competition consists of three divisions: Browsers, Plug-Ins, and the Grand Prize. All target machines will be running the latest fully patched versions of the relevant operating systems (Windows 8.1 x64 and OS X Mavericks), installed in their default configurations. The vulnerability or vulnerabilities used in each attack must be unknown and not previously reported to the vendor. A particular vulnerability can only be used once across all categories." Contests must compromise a target within a half-hour. The first one to break a program wins.

The 2014 targets are:

Browsers:

  • Google Chrome on Windows 8.1 x64: $100,000 USD
  • Microsoft Internet Explorer 11 on Windows 8.1 x64: $100,000 USD
  • Mozilla Firefox on Windows 8.1 x64: $50,000 USD
  • Apple Safari on OS X Mavericks: $65,000 USD

Plug-ins:

  • Adobe Reader running in Internet Explorer 11 on Windows 8.1 x64: $75,000 USD
  • Adobe Flash running in Internet Explorer 11 on Windows 8.1 x64: $75,000 USD
  • Oracle Java running in Internet Explorer 11 on Windows 8.1 x64 (requires click-through bypass): $30,000 USD

There's also a special “Exploit Unicorn” Grand Prize. To win this one, you have to show a system-level code execution crack on Windows 8.1 x64 on Internet Explorer 11 x64 with Enhanced Mitigation Experience Toolkit (EMET) running. EMET's is Microsoft's strongest anti-hacking tool. If you bust this one, you get a cool $150,000 plus a unicorn!

However, HP rules states that "Real-life unicorn prize subject to availability." Darn it!

While you may not get a unicorn, winners will also receive the laptop on which they demonstrated their compromise, and 20,000 ZDI reward points. This immediately qualifies them for ZDI Silver standing. This gives the winning hacker an additional one-time $5,000 cash payout, a 15 percent monetary bonus on all vulnerabilities submitted to ZDI during the next calendar year, a 25 percent reward-point bonus on all vulnerabilities submitted to ZDI over the next calendar year, and paid travel and registration to attend the 2014 DEFCON. This is none-too-shabby!

All revealed vulnerabilities and exploit will be disclosed to the affected vendors, and the proof of concept will become HP's property.

You must pre-register for the competition. Contact ZDI at zdi@hp.com to begin the registration process. Registration closes at 5 PM Pacific time on March 10, 2014.

Google's Pwnium 4 competition is giving hackers their shot at the Chrome OS. According to Jorge Lucángeli Obes, Google's Security Engineer and Pwnium's Master of Ceremonies, Google will be offering a total prize pool of $2.71828, that the Euler's number (e) mathematical constantfor the non-mathematicians in the crowd.

Google will be offering rewards for eligible Chrome OS exploits at the following levels: 

  • $110,000 USD: browser or system-level compromise in guest mode or as a logged-in user, delivered via a web page.
  • $150,000 USD: compromise with device persistence: guest to guest with interim reboot, delivered via a web page.

In addition, Google may give bonus prizes for "demonstrating a particularly impressive or surprising exploit. Potential examples include defeating kernel address space layout randomization (KASLR). This is a Linux security technique that's similar to the one used in Microsoft's EMET. Other "surprising" exploits include," exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process."

This year crackers don't have to attack Intel-based Chrome devices. Google will let you try your hacks on both the Intel Haswell powered Acer 720 Chromebook or the ARM-based HP Chromebook 11.

To win, besides showing that your exploit works, you'll need to give your full exploit, with explanations for all individual bugs used, which must be unknown, to Google. The exploits should be served from a password-authenticated and HTTPS-supported Google App Engine URL.

You can use any software included with either device as part of their default installation in your attack. To participate, you must register in advance by e-mailing pwnium4@chromium.org. Registration will close at 5:00 PM PST Monday, March 10th, 2014.

So ready to show up your hacker chops and make big money while you're are it? Well, get to work on your cracks and enter the contest. Good luck and happy hacking!

Related Stories:

Topics: Security, Google, Hewlett-Packard, Linux, Networking, Web development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Article: "kernel address space layout randomization (KASLR)"

    This will be interesting as not all in the Linux community have high opinions of KASLR:

    "KASLR: An Exercise in Cargo Cult Security"
    http://forums.grsecurity.net/viewtopic.php?f=7&t=3367

    The section of the article entitled "Why KASLR is a Failure" is especially interesting.

    P.S. KASLR isn't just for the Linux kernel. As mentioned in the article, Microsoft also implements KASLR. As does Apple with iOS and OS X.
    Rabid Howler Monkey
  • e dollars?

    Deep in the text you entice us with "a total prize pool of $2.71828." That's it? All the winners can combine their loot and split a cup of coffee, if someone pitches in an extra buck or two?
    Or was there supposed to be a suffix following?
    kidtree