We are nine weeks away from the Pwn2Own™ 2017 security contest returning to CanSecWest, which is celebrating its 10th anniversary this year. A lot has changed in the world since the first Pwn2Own in 2007. The computing space has changed drastically, as well. The first Pwn2Own happened before Conficker or Stuxnet. It happened before the rise of nation-state attacks. It happened before the explosion of ransomware. It happened before the explosion of cloud computing. It happened before bitcoin. It happened before anyone had ever heard of the Internet of Things.
In other words, a lot has changed since 2007, including Pwn2Own. That first year, a laptop and $10,000* were given away. Last year, more than $450,000 cash and prizes were awarded over the multiple categories. In 2007, a single bug was needed to exploit QuickTime. Last year, a chain of bugs was required to complete a compromise and fully win a category. Even the jackets have evolved.
As the contest grew, we at the Zero Day Initiative (ZDI) have grown the contest to keep it relevant and reflect the latest trends impacting enterprises and users. This year we’re expanding it even further. To celebrate 10 years of Pwn2Own, the ZDI will be offering more than $1,000,000 across five different categories to see the latest research and again crown a Master of Pwn. It’s more money and more categories than we’ve ever done, and we can’t wait to see the research that comes to claim the prizes.
Let’s get to the categories:
Virtual Machine Escape (Guest-to-Host)
We added Virtual Machine Escapes last year with VMware, and we’re expanding this to include Microsoft Hyper-V this year. An attempt in this category must be launched from within the guest operating system from a non-administrative account and execute arbitrary code on the host operating system. Both the guest and the host operating system will be running the 64-bit versions of Windows 10. A successful exploit in either product will net $100,000 for the contestant plus a lucky 13 Master of Pwn points.
Web Browser and Plugins
Attacks on web browsers have been a part of Pwn2Own since the very beginning, and this year is no different. We welcome Mozilla Firefox back into our targets list after missing last year. Here is the full list of browsers and plugins we are including (with their payouts):
In this category, contestants could earn an additional $30,000 if their entry achieves SYSTEM-level code execution on Windows-based targets, or will receive an additional $20,000 if their entry achieves root-level code execution on macOS-based targets.
Want a really big payout? The Windows-based targets will be running in a VMware Workstation virtual machine. If the contestant escapes the VMware Workstation virtual machine and achieves code execution on the host operating system, the contestant will receive an additional $100,000.
These are cumulative bonuses, as well. For example, if a contestant exploits Google Chrome or Microsoft Edge, elevates to System, then performs a VMware escape, they will net themselves a tidy $210,000 in one sitting (and 27 Master of Pwn points!). We certainly hope someone accomplishes some chain along these lines.
Local Escalation of Privilege
Although we’ve had some Escalation of Privilege (EoP) bugs as add-ons in past Pwn2Owns, this is the first year it has a category of its own. This is also the first time we included Linux as a target. In this category, the entry must leverage a kernel vulnerability to escalate privileges. If they do, contestants will earn $30,000 for Microsoft Windows 10, $20,000 for macOS, and $15,000 for Ubuntu Desktop. They will also get 4 Master of Pwn points for Windows and 3 for the other OSes. Considering the various types of malware that use local EoPs, this could prove to be an impactful category. As always, the latest, fully-patched version of each OS will be used – even if we have to stay up late to install the patches.
One thing we think about when planning a Pwn2Own is what we hope to see. We’ve considered adding Office and Reader applications in the past, and there’s no better time than the 10th anniversary to include them.
Here’s the list of targets for this category:
The Microsoft Office-based targets will have Protected View enabled. Each successful exploit earns the contestant $50,000 and six Master of Pwn points. These types of exploits are seen in the wild quite a bit, so shutting a few down could really help improve the security posture for a lot of folks.
This is another new category for Pwn2Own, but one that should prove noteworthy. A successful exploit against Apache Web Server on Ubuntu Server will net the researcher $200,000 and earn a whopping 25 Master of Pwn points. Considering this setup accounts for roughly half of all websites, it’s pretty clear the impact a bug here would have. An attempt in this category must be launched from the contestant laptops within the contest network.
Master of Pwn Returns
Speaking of Master of Pwn, we started this last year and continued it through Mobile Pwn2Own, as well. In order to crown an overall ‘winner’ for Pwn2Own, each successful exploit will receive points. Total points are calculated by the sum of the successful entries based on the following point allocations:
|Virtual Machine Escape||VMware Workstation||13|
|Web browser and Plugins||Microsoft Edge||10|
|Adobe Flash in Edge||8|
|+ Escalation to SYSTEM (Windows)||4|
|+ Escalation to Root (macOS)||3|
|+ Virtual Machine Escape||13|
|Local Escalation of Privilege||Microsoft Windows 10||4|
|Enterprise Applications||Adobe Reader||6|
|Microsoft Office Word||6|
|Microsoft Office Excel||6|
|Microsoft Office PowerPoint||6|
|Server Side Exploits||Apache Web Server||25|
For example, if a contestant has two successful entries (e.g. Microsoft Edge with a SYSTEM escalation and Google Chrome without a SYSTEM escalation), their total points would be 24 points. The contestant with the highest total points at the end of the contest will receive the title “Master of Pwn” and receive 65,000 ZDI reward points (estimated at $25,000). There’s a better than average chance that the title will also include some form of slick jacket too.
The complete rules for Pwn2Own 2017 are found here. As always, we encourage entrants to read the rules thoroughly if they choose to participate. Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at firstname.lastname@example.org to begin the registration process. (Email only, please; queries via Twitter, blog post or other means will not be acknowledged or answered.) Registration closes at 5 p.m. Pacific Time on March 12, 2017.
Over the next few weeks leading up to Pwn2Own, we’ll be posting some stories and behind the scenes tales from the contest. Be sure to stay tuned to this blog and follow us on Twitter for the latest information and updates about the contest. We look forward to seeing everyone in Vancouver, and here’s to another 10 years of pwnage!