Home » Network » Pwn2Own: Day 2 and Event Wrap-Up

Pwn2Own: Day 2 and Event Wrap-Up

Posted on:March 18, 2016
Posted in:Network, Security
Posted by:Christopher Budd (Global Threat Communications)

The second and final day of the 2016 Pwn2Own competition wrapped up today.

By the afternoon an already exciting competition shifted into high-gear when two attempts failed in a row (a Pwn2Own first) and the top prize of Master of Pwn came down to the success or failure of the last attempt of the event by Tencent Security Team Sniper (KeenLab and PC Manager). After only two minutes, their demonstration succeeded making them the Master of Pwn for Pwn2Own 2016 with 38 Master of Pwn points and US$142,500. JungHoon Lee tied for second with 25 Master of Pwn points and US$145,000. 360Vulcan Team also tied for second with 25 Master of Pwn points and US$132,500. Tencent Security Team Shield came in fourth with 10 Master of Pwn points and US$40,000. All total, 98 Master of Pwn Points and US$ 460,000 were earned by these four teams.

Overall the event was very successful. It was the largest event in the history of Pwn2Own and resulted in 21 new vulnerabilities. For a full breakdown, see “Pwn2Own 2016 in Numbers” below.

As fun as the Pwn2Own competition is, ultimately it is serious business about understanding the current threats and weaknesses. This year’s competition succeeds in that regard. While it’s easy to focus on the state of browser security as shown at Pwn2Own, the real, important, technical story is about the state of kernel security. EVERY successful attack achieved SYSTEM or root privileges. This is a Pwn2Own first. It’s also a very worrying development. As ZDI researcher Jasiel Spelman noted, researchers and attackers are likely focusing on the kernel in response to advances in sandboxing. It’s a truism in security that when you harden one area, attackers and researchers will move their attention to another one. Based on Pwn2Own 2016, it appears that’s happening with a shift to focus on the kernel. This is also borne out by what we’re seeing in Linux lately: while Linux is outside the focus of Pwn2Own, we’ve seen a number of Linux kernel issues lately.

Hopefully, operating system vendors and maintainers will hear the message and give a renewed focus to the security of their kernels. This trend is likely to continue into the future.

Meanwhile, Pwn2Own 2016 has been a great event to kick off TippingPoint, ZDI and DVLabs joining Trend Micro.

Pwn2Own 2016 in Numbers:

Total prizes awarded:

	Master of Pwn Points: 98 Cash: US$ 460,000

Number of Attempts:

	Fully Successful: 7 (64%) Partially Successful: 1 (9%) Failed: 3 (27%)

Number of Successful Attempts Against:

	Apple Safari: 3/3 (100% Success) Microsoft Edge: 2 /2 (100% Success) Adobe Flash: 4/5 (75% Success) Google Chrome: .5/2 (25% Success) NOTE: The actual vulnerability in Google Chrome had already been independently reported to Google; this is counted a partial success)

Percentage of Successful or Partially Successful attacks that achieved SYSTEM or root privilege: 100%

Contestant Success Standings:

	Tencent Security Team Sniper (KeenLab and PC Manager): 3/3 (100% Success) 360Vulcan Team: 1.5/2 (75% Success) JungHoon Lee (lokihardt): 2/3 (66% Success) Tencent Security Team Shield (PC Manager and KeenLab): 1/2 (50% Success) Tencent Xuanwu Lab: 0/1 (0% Success)

Awards:

	Most Master of Pwn Points Awarded in a Single Attempt: 15 – JungHoon Lee (lokihardt) against Microsoft Edge in the SYSTEM context and Tencent Security Team Sniper (KeenLab and PC Manager) against Microsoft Edge in the SYSTEM context. Biggest Cash Prize Awarded in a Single Attempt: US$85,000 JungHoon Lee (lokihardt) against Microsoft Edge in the SYSTEM context.

Number of new vulnerabilities:

	Microsoft Windows: 6 Apple OS X: 5 Adobe Flash: 4 Apple Safari: 3 Microsoft Edge: 2 Google Chrome: 1 (a duplicate of a previous, independently reported vulnerability) Total: 21

Total number of new browser vulnerabilities: 6

Total number of new kernel vulnerabilities: 6

Day 2 Details:

Tencent Security Team Sniper (KeenLab and PC Manager): Demonstrated a successful code execution attack against Safari to gain root privileges using an use-after-free vulnerability in Safari and an out-of-bounds vulnerability in Mac OS X. This demonstration earned them 10 Master of Pwn Points and US$40,000.
JungHoon Lee (lokihardt): Demonstrated a successful code execution attack against Microsoft Edge in the SYSTEM context using an uninitialized stack variable vulnerability in Microsoft Edge and a directory traversal vulnerability in Microsoft Windows to get SYSTEM privilege. This demonstration earned him 15 Master of Pwn points and US$85,000.
JungHoon Lee (lokihardt): Attempted to demonstrate a code execution attack against Google Chrome. This attempt failed.
Tencent Security Team Shield (PC Manager and KeenLab): Attempted to demonstrate a code execution attack against Adobe Flash in SYSTEM context. This attempt failed.
Tencent Security Team Sniper (KeenLab and PC Manager): Demonstrated a successful code execution vulnerability against Microsoft Edge in the SYSTEM context using an out-of-bounds vulnerability in Microsoft Edge and a buffer overflow vulnerability in the Kernel. This demonstration earned them 15 Master of Pwn points and US$52,500.

Pwn2Own: Day 2 and Event Wrap-Up

Security Intelligence Blog

Featured Authors

Trend Micro in the News

Trend Micro Blogs

Pwn2Own: Day 2 and Event Wrap-Up

Related posts:

Security Intelligence Blog

Featured Authors

Trend Micro in the News

Trend Micro Blogs