• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Rik Ferguson
    • Raimund Genes
    • Mark Nunnikhoven
  • Research
Home   »   Network   »   Pwn2Own: Day 1 Recap

Pwn2Own: Day 1 Recap

  • Posted on:March 17, 2016
  • Posted in:Network, Security
  • Posted by:Christopher Budd (Global Threat Communications)
0
fbi-breach

Pwn2Own day 1 is done. Out of six attempts today, four were successful, one was partially successful and one failed. A total of 15 new vulnerabilities were demonstrated and information passed on to the vendors so they can address them appropriately. In addition, the DVLabs team worked directly with the researchers to identify the information needed to create filters for the Digital Vaccine. This filter set will be available this Tuesday March 22, 2016 and provides exclusive protection for our TippingPoint customers against these zero day vulnerabilities.

 

Today, the five teams earned US$282,500 dollars in prizes. And at the end of Day 1, 360Vulcan Team is in the lead for the title of “Master of Pwn with 25 points.”

p2o2016-5u

 

Day 2 of the contest will begin tomorrow at 9:00 a.m. Pacific time. Three teams will make five additional attempts.

View the full schedule here.

Day 1: The Details

  1. JungHoon Lee (lokihardt): Demonstrated a successful code execution attack against Apple Safari to gain root privileges. The attack consisted of four new vulnerabilities: a use-after-free vulnerability in Safari and three additional vulnerabilities, including a heap overflow to escalate to root. This demonstration earned 10 Master of Pwn points and US$60,000.
  2. 360Vulcan Team: Demonstrated a successful code execution attack against Adobe Flash using a Flash confusion bug with use-after-free vulnerability in the Windows Kernel to run code in the SYSTEM context. This demonstration earned 13 Master of Pwn points and US$80,000.
  3. Tencent Security Team Shield (PC Manager and KeenLab): Demonstrated a successful code execution attack against Apple Safari to gain root privileges using two use-after-free vulnerabilities, one in Safari and the other in a privileged process. This demonstration earned 10 Master of Pwn points and US$40,000.
  4. 360Vulcan Team: Demonstrated a successful code execution attack against Google Chrome in the SYSTEM context. The attack used four vulnerabilities: two use-after-free vulnerabilities in Adobe Flash, one use-after-free vulnerability in the Windows Kernel and an out-of-bounds vulnerability in Google Chrome. This was a partial win due to the Google Chrome vulnerability being a duplicate of a previous, independent report to Google. This demonstration earned 12 Master of Pwn points and US$52,500.
  5. Tencent Security Team Sniper (KeenLab and PC Manager): Demonstrated a successful code execution attack against an out-of-bounds vulnerability in Adobe Flash that use an infoleak vulnerability and a use-after-free vulnerability in the Windows Kernel to achieve SYSTEM context. This demonstration earned 13 Master of Pwn points and US$50,000.
  6. Tencent Xuanwu Lab: Adobe Flash in Microsoft Edge: This attempt failed.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.

Related posts:

  1. Pwn2Own: Day 2 and Event Wrap-Up
  2. Pwn2Own 2016 Has Begun
  3. Zero Day Initiative announces Pwn2Own 2016
  4. Pwn2Own 2016 – Trend Micro TippingPoint DVLabs Exclusive Zero Day Coverage!

Security Intelligence Blog

  • A Look at the BIND Vulnerability: CVE-2016-2776
  • October Patch Tuesday: Microsoft Releases 10 Security Bulletins, Five Rated Critical
  • Several Exploit Kits Now Deliver Cerber 4.0

Featured Authors

Dustin Childs (Zero Day Initiative Communications)
Dustin Childs (Zero Day Initiative Communications)
  • October 2016 – A brave new world of security updates
Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Exploits as a Service: How the Exploit Kit + Ransomware Tandem Affects a Company’s Bottom Line
Elisa Lippincott (TippingPoint Global Product Marketing)
Elisa Lippincott (TippingPoint Global Product Marketing)
  • Trend Micro Achieves “Recommended” Status from NSS Labs Testing
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Talking about Ransomware, A Recap
Raimund Genes (Chief Technology Officer)
Raimund Genes (Chief Technology Officer)
  • Is “Next Gen” patternless security really patternless? What the changes to VirusTotal’s Terms of Service Really Mean
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • PoS Malware: Old Dog Learns New Tricks

Trend Micro Twitter Feed

Tweets by @trendmicro

Follow Us

Trend Micro in the News

  • Trend Micro Achieves “Recommended” Status from NSS Labs Testing
  • This Week in Security News
  • TippingPoint Threat Intelligence and Zero-Day Coverage – Week of October 10, 2016

Trend Micro Blogs

  • Internet Safety for Kids
  • CounterMeasures
  • CTO Insights
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2016 Trend Micro Incorporated. All rights reserved.