The first day of Pwn2Own 2017 has come to a close, and so far, we’ve awarded $233,000 USD and 45 points for Master of Pwn. Today saw five successful attempts, one partial success, two failures, and two entries withdrawn.
Our day started with the 360 Security team successfully using a jpeg2000 heap overflow, a Windows kernel info leak, and an uninitialized Windows kernel buffer to gain remote code execution (RCE) through Adobe Reader. In the process, they earned themselves $50,000 USD and 6 points towards Master of Pwn.
Next up, Samuel Groß and Niklas Baumstark earned some style points by leaving a special message on the touch bar of the targeted Mac. They employed a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate their privileges to root in macOS. Unfortunately, the UAF had already been corrected in the beta version of the browser, but this bug chain still netted them a partial win, garnering them $28,000 and 9 Master of Pwn points.
The next contestant was Tencent Security – Team Ether targeting Microsoft Edge. They succeeded by using an arbitrary write in Chakra and escaped the sandbox using a logic bug within the sandbox. This netted them a cool $80,000 and 10 points for Master of Pwn.
Ubuntu Linux was welcomed to Pwn2Own by the Chaitin Security Research Lab. They leveraged a Linux kernel heap out-of-bounds access bug to earn themselves $15,000 and 3 Master of Pwn points. We’ve seen folks pop calc before, but popping xcalc was a nice touch.
Despite their earlier success, Tencent Security – Team Ether withdrew their entry targeting Microsoft Windows. Ralf-Philipp Weinmann also withdrew his attempt to exploit Microsoft Edge. Perhaps the recent security patches affected their exploits after all.
Next, Tencent Security – Team Sniper (Keen Lab and PC Mgr) targeting Google Chrome with a SYSTEM-level escalation. Unfortunately, they could not get their exploit chain working within the allotted timeframe, resulting in a failure.
However, the team came right back to target Adobe Reader and succeeded by using an info leak in Reader followed by a UAF to get code execution. They then leveraged a UAF in the kernel to gain SYSTEM-level privileges. Since this was the second win in the Enterprise Application category, it netted the team $25,000 and 6 points for Master of Pwn.
The Chaitin Security Research Lab followed up their previous success with some fantastic late-evening exploits. They broke through Apple Safari to gain root access on macOS by using a total of six bugs in their exploit chain including an info disclosure in Safari, four different type confusion bugs in the browser, and a UAF in WindowServer. This spectacular demonstration earned them $35,000 and 11 points towards Master of Pwn. They also let us know their research was guided by advisories released through the ZDI program.
Completing the nightcap round of our first day, Richard Zhu (fluorescence) failed to successfully exploit Apple Safari within the allotted time. We wish him success in his attempts tomorrow.
Overall, it was a fantastic start to the first day of our largest competition ever. The contestants successfully demonstrated 20 different bugs in their successful exploits. As for Master of Pwn, the Chaitin Security Research Lab currently leads the competition with 14 points. With two separate tracks happening on Day Two – including the first VMWare escape of the contest – Master of Pwn is still anyone’s game.
Be sure to check back for all the latest from this 10th anniversary edition of Pwn2Own.