This blog will be updated throughout the competition so keep tracking for the latest updates!
A global outbreak of bigger bugs. Badder bugs. And they’re threatening the world as we know it. Yes, it sounds like a poorly-written trailer for the next summer blockbuster alien invasion movie, but in truth, it’s a reality we’ll face yet again this year. We are back in Vancouver, B.C. for the 2017 Pwn2Own competition run by the Trend Micro TippingPoint Zero Day Initiative. We are looking at an unprecedented 30 entries this year, well above anything we’ve seen from previous competitions.
What is especially exciting are the entrants in the VMware escape category, where we may see exploits not normally seen against the virtual machine allowing an attacker to break out of a VM environment and control the host.
The TippingPoint DVLabs team is onsite as usual, meeting with each of the hacking teams and dissecting the code and exploits in order to provide zero-day filters for all remotely exploitable vulnerabilities. One of the questions we get is: What’s the point of covering these vulnerabilities if only one hacker is attempting to exploit them? Well, you only have to look at the success of the patches from vendors this year for the answer. Just before Pwn2Own commences each year, almost all vendors furiously issue patches to attempt to minimize the number of successful exploits. Once again, we saw a series of likely defensive submissions from contestants, aimed at “burning” or eliminating zero-days that other teams could use to win the competition.
What this tells us is that multiple researchers have found similar zero-day vulnerabilities. We can expand this concept to assume the bad guys have found some of these bugs as well and will use them before they are patched out, if they’re not using them already. This is where you see the power of DVLabs and our Digital Vaccine filter set. By providing “virtual patches” for these extremely dangerous and prolific vulnerabilities, our customers are uniquely protected until vendors can build and release a patch, and maintenance windows can be scheduled for impacted systems to be remedied.
Keep following this post for updates, including upcoming Digital Vaccine coverage for all of the network-exploitable vulnerabilities seen over this hectic three-day hackfest!
Day 1: March 15, 2017
| Time (PDT) | Team | Target | Successful? | Upcoming Digital Vaccine Coverage? |
| 10:00 am | 360 Security (@mj0011sec) | Adobe Reader | Yes | Yes
ZDI-CAN-4575 |
| 11:30 am | Samuel Groß (@5aelo) and Niklas Baumstark (@_niklasb) | Apple Safari with an escalation to root on macOS | Partial Win | Yes
ZDI-CAN-4578 |
| 1:00 pm | Tencent Security – Team Ether | Microsoft Edge | Yes | Yes
ZDI-CAN-4584 |
| 2:00 pm | Chaitin Security Research Lab (@ChaitinTech) | Ubuntu Desktop | Yes | Local Only |
| 3:30 pm | Tencent Security – Team Ether | Microsoft Windows | No | N/A |
| 5:00 pm | Ralf-Philipp Weinmann | Microsoft Edge with a SYSTEM-level escalation | No | N/A |
| 6:00 pm | Tencent Security – Team Sniper (Keen Lab and PC Mgr) | Google Chrome with a SYSTEM-level escalation | No | Yes
ZDI-CAN-4587 |
| 7:30 pm | Tencent Security – Team Sniper (Keen Lab and PC Mgr) | Adobe Reader | Yes | Yes
ZDI-CAN-4588 ZDI-CAN-4589 |
| 8:30 pm | Chaitin Security Research Lab (@ChaitinTech) | Apple Safari with an escalation to root on macOS | Yes | Yes
ZDI-CAN-4591 ZDI-CAN-4593 ZDI-CAN-4594 ZDI-CAN-4595 ZDI-CAN-4596 |
| 10:00 pm | Richard Zhu (fluorescence) | Apple Safari with an escalation to root on macOS | No | Yes
ZDI-CAN-4597 ZDI-CAN-4598 |
Day 2: March 16, 2017
With the unprecedented number of contestants and entries, the Day 2 schedule is divided into two tracks. Track A focuses on attempts against Microsoft and Adobe products. Track B focuses on products from Apple and Mozilla.
Day 2: March 16, 2017 – TRACK A
| Time (PDT) | Team | Target | Successful? | Upcoming Digital Vaccine Coverage? |
| 8:30 am | 360 Security (@mj0011sec) | Adobe Flash with a SYSTEM-level escalation and a virtual machine escape | Yes, but no virtual machine escape | Yes ZDI-CAN-4601 |
| 10:00 am | Tencent Security – Team Sniper (Keen Lab and PC Mgr) | Adobe Flash with a SYSTEM-level escalation | Yes | Yes
ZDI-CAN-4607 |
| 11:00 am | Tencent Security – Lance Team | Microsoft Edge with a SYSTEM-level escalation | Yes | Yes ZDI-CAN-4611 |
| 1:00 pm | Tencent Security – Sword Team | Microsoft Edge | N/A | N/A |
| 2:30 pm | Tencent Security – Lance Team | Microsoft Windows | N/A | N/A |
| 3:30 pm | Tencent Security – Team Shield (Keen Lab and PC Mgr) | Microsoft Edge with a SYSTEM-level escalation | N/A | N/A |
| 4:30 pm | Tencent Security – Team Sniper (Keen Lab and PC Mgr) | Microsoft Edge with a SYSTEM-level escalation | Yes | Yes
ZDI-CAN-4618 |
| 5:30 pm | 360 Security (@mj0011sec) | Microsoft Windows | Yes | Local Only |
| 7:00 pm | Tencent Security – Team Sniper (Keen Lab and PC Mgr) | Microsoft Windows | Local Only |
Day 2: March 16, 2017 – TRACK B
| Time (PDT) | Team | Target | Successful? | Upcoming Digital Vaccine Coverage? |
| 9:15 am | Tencent Security – Team Shield (Keen Lab and PC Mgr) | Apple macOS | N/A | N/A |
| 10:45 am | 360 Security (@mj0011sec) | Apple macOS | Yes | Local Only |
| 11:45 am | 360 Security (@mj0011sec) | Apple Safari with an escalation to root on macOS | Yes | Yes
ZDI-CAN-4613 |
| 2:00 pm | Chaitin Security Research Lab (@ChaitinTech) | Apple macOS | Yes | N/A |
| 3:00 pm | Tencent Security – Team Sniper (Keen Lab and PC Mgr) | Apple macOS | N/A | N/A |
| 4:00 pm | Moritz Jodeit, Blue Frost Security (@moritzj) | Mozilla Firefox | No | N/A |
| 5:00 pm | Chaitin Security Research Lab (@ChaitinTech) | Mozilla Firefox with a SYSTEM-level escalation | Yes | Yes
ZDI-CAN-4620 |
| 6:00 pm | Tencent Security – Team Sniper (Keen Lab and PC Mgr) | Apple Safari with an escalation to root on macOS | Yes | Yes
ZDI-CAN-4623 |
Day 3: March 17, 2017
| Time (PDT) | Team | Target | Successful? | Upcoming Digital Vaccine Coverage? |
| 9:00am | 360 Security (@mj0011sec) | Microsoft Edge with a SYSTEM-level escalation and a virtual machine escape | Yes |
Yes ZDI-CAN-4625 |
| 11:00am | Richard Zhu (fluorescence) | Microsoft Edge with a SYSTEM-level escalation | Yes |
Yes ZDI-CAN-4628 ZDI-CAN-4629 |
| 11:45am | Tencent Security – Team Sniper (Keen Lab and PC Mgr) | VMWare Workstation (Guest-to-Host) | Yes | N/A |
| 5:45pm | Final closing and Master of Pwn award ceremony |
