• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Zero Day Initiative   »   The Results – Pwn2Own 2017 Day One

The Results – Pwn2Own 2017 Day One

  • Posted on:March 16, 2017
  • Posted in:Zero Day Initiative
  • Posted by:
    Dustin Childs (Zero Day Initiative Communications)
0

The first day of Pwn2Own 2017 has come to a close, and so far, we’ve awarded $233,000 USD and 45 points for Master of Pwn. Today saw five successful attempts, one partial success, two failures, and two entries withdrawn.

Our day started with the 360 Security team successfully using a jpeg2000 heap overflow, a Windows kernel info leak, and an uninitialized Windows kernel buffer to gain remote code execution (RCE) through Adobe Reader. In the process, they earned themselves $50,000 USD and 6 points towards Master of Pwn.

Next up, Samuel Groß and Niklas Baumstark earned some style points by leaving a special message on the touch bar of the targeted Mac. They employed a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate their privileges to root in macOS. Unfortunately, the UAF had already been corrected in the beta version of the browser, but this bug chain still netted them a partial win, garnering them $28,000 and 9 Master of Pwn points.

The next contestant was Tencent Security – Team Ether targeting Microsoft Edge. They succeeded by using an arbitrary write in Chakra and escaped the sandbox using a logic bug within the sandbox. This netted them a cool $80,000 and 10 points for Master of Pwn.

Ubuntu Linux was welcomed to Pwn2Own by the Chaitin Security Research Lab. They leveraged a Linux kernel heap out-of-bounds access bug to earn themselves $15,000 and 3 Master of Pwn points. We’ve seen folks pop calc before, but popping xcalc was a nice touch.

 

Despite their earlier success, Tencent Security – Team Ether withdrew their entry targeting Microsoft Windows. Ralf-Philipp Weinmann also withdrew his attempt to exploit Microsoft Edge. Perhaps the recent security patches affected their exploits after all.

Next, Tencent Security – Team Sniper (Keen Lab and PC Mgr) targeting Google Chrome with a SYSTEM-level escalation. Unfortunately, they could not get their exploit chain working within the allotted timeframe, resulting in a failure.

However, the team came right back to target Adobe Reader and succeeded by using an info leak in Reader followed by a UAF to get code execution. They then leveraged a UAF in the kernel to gain SYSTEM-level privileges. Since this was the second win in the Enterprise Application category, it netted the team $25,000 and 6 points for Master of Pwn.

The Chaitin Security Research Lab followed up their previous success with some fantastic late-evening exploits. They broke through Apple Safari to gain root access on macOS by using a total of six bugs in their exploit chain including an info disclosure in Safari, four different type confusion bugs in the browser, and a UAF in WindowServer.  This spectacular demonstration earned them $35,000 and 11 points towards Master of Pwn. They also let us know their research was guided by advisories released through the ZDI program.

Completing the nightcap round of our first day, Richard Zhu (fluorescence) failed to successfully exploit Apple Safari within the allotted time. We wish him success in his attempts tomorrow.

Overall, it was a fantastic start to the first day of our largest competition ever. The contestants successfully demonstrated 20 different bugs in their successful exploits. As for Master of Pwn, the Chaitin Security Research Lab currently leads the competition with 14 points. With two separate tracks happening on Day Two – including the first VMWare escape of the contest – Master of Pwn is still anyone’s game.

Be sure to check back for all the latest from this 10th anniversary edition of Pwn2Own.

Related posts:

  1. Welcome to Pwn2Own 2017 – The Schedule
  2. Pwn2Own 2017 – Day Two Schedule and Results
  3. Pwn2Own 2017 – Day Three Schedule and Results
  4. Pwn2Own™ Returns for 2017 to Celebrate 10 Years of Exploits

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.