Windows, Ubuntu, macOS, VirtualBox fall at Pwn2Own hacking contest

Team Fluoroacetate wins fourth tournament in a row.

Pwn2Own

The 2020 spring edition of the Pwn2Own hacking contest has come to a close today.

This year's winner is Team Fluoroacetate -- made up of security researchers Amat Cama and Richard Zhu -- who won the contest after accumulating nine points across the two-day competition, which was just enough to extend their dominance and win their fourth tournament in a row.

But this year's edition was a notable event for another reason. While the spring edition of the Pwn2Own hacking contest takes place at the CanSecWest cyber-security conference, held each spring in Vancouver, Canada, this year was different.

Due to the ongoing coronavirus (COVID-19) outbreak and travel restrictions imposed in many countries around the globe, many security researchers couldn't attend or weren't willing to travel to Vancouver and potentially put their health at risk.

Instead, this year's Pwn2Own edition has become the first-ever hacking contest that has been hosted in a virtual setting.

Participants sent exploits to Pwn2Own organizers in advance, who ran the code during a live stream with all participants present.

During the competition's two-day schedule, six teams managed to hack apps and operating systems like Windows, macOS, Ubuntu, Safari, Adobe Reader, and Oracle VirtualBox. All bugs exploited during the contest were immediately reported to their respective companies.

The results of the two-day contest are below, broken down per each team's attempt. The table at the bottom of the article is the competition's final ranking.

Day One

EXPLOIT #1: The Georgia Tech Systems Software & Security Lab (SSLab_Gatech) team of Yong Hwi Jin (@jinmo123), Jungwon Lim (@setuid0x0_), and Insu Yun (@insu_yun_en) targeted Apple Safari with a macOS kernel escalation of privilege.

The exploit was successful - The Georgia Tech team used a six-bug exploit chain to pop the calculator app on macOS and escalate its access rights to root. They earn $70,000 USD and 7 Master of Pwn points.


EXPLOIT #2: Flourescence (Richard Zhu) targeted Microsoft Windows with a local privilege escalation.

The exploit was successful - The Pwn2Own veteran used a use-after-free vulnerability in Windows to escalate privileges. He earned $40,000 USD and 4 points towards Master of Pwn.


EXPLOIT #3: Manfred Paul of the RedRocket CTF team targeted Ubuntu Desktop with a local privilege escalation.

The exploit was successful - The Pwn2Own newcomer used an improper input validation bug to escalate privileges. This earned him $30,000 and 3 Master of Pwn points.


EXPLOIT #4: The Fluoroacetate team of Amat Cama and Richard Zhu targeted Microsoft Windows with a local privilege escalation.

The exploit was successful - The returing Master of Pwn winners leveraged a use-after-free bug in Windows to escalate to SYSTEM. The exploit earns them $40,000 and 4 Master of Pwn points.

Day Two

EXPLOIT #5: Phi Phạm Hồng (@4nhdaden) of STAR Labs (@starlabs_sg) targeted Oracle VirtualBox in the Virtualization category.

The exploit was successful - The researcher used an out-of-bounds read bug for an info leak and an unitialized variable for code execution on the VirtualBox hypervisor. He earns himself $40,000 and 4 Master of Pwn points.


EXPLOIT #6: The Fluoroacetate team of Amat Cama and Richard Zhu targeted Adobe Reader with a Windows local privilege escalation.

The exploit was successful - The Fluoroacetate duo used a pair of use-after-free bugs - one in Acrobat and one in the Windows kernel - to elevate privilieges and to over the system. They earn $50,000 and 5 points towards Master of Pwn.


EXPLOIT #7: The Synacktiv team of Corentin Bayet (@OnlyTheDuck) and Bruno Pujos (@BrunoPujos) targeted the VMware Workstation in the Virtualization category.

The exploit attempt failed - The team was unable to demonstrate their exploit in the time allotted.

pwn2own-2020-spring-winners.jpg

Image: Trend Micro