(This was originally posted on 2/10/2016 to the HP Enterprise Blog. With the completion of Trend Micro’s acquisition of TippingPoint, including the Zero Day Initiative it is being reposted here)
Vancouver is a city known for its wonderful aquarium, stunning art gallery, and great cuisine. Over the last several years, it has also become home to the world’s premiere event for security researchers to demonstrate vulnerabilities in the latest software and get some serious cash in the process – Pwn2Own. This year, Hewlett Packard Enterprise, Trend Micro, and the Zero Day Initiative partner to bring the annual Pwn2Own to Vancouver with a new twist to the rules to keep things interesting.
Since it’s inception in 2007, Pwn2Own has increased the challenge level at each new competition, and this year is no different. While the latest browsers from Google, Microsoft, and Apple are still targets, the Windows-based targets will be running on a VMware Workstation virtual machine. A $75K bonus will be given to those who can escape the VMware virtual machine. This is our first year including VMware as a target, and we look forward to seeing what researchers will do with it.
Master of Pwn
Where others imitate Pwn2Own, we innovate. Observers usually tally up the prize money to determine if there is a “biggest winner” of Pwn2Own. This year, we’re formalizing the process by recognizing the researcher who had the best overall performance throughout the entire contest. Points will be awarded for each successful exploit, and the contestant with the highest total points at the end of the contest will receive 65,000 ZDI reward points (estimated at $25,000). We’re calling this the “Master of Pwn,” and here’s how it will work. Total points are calculated by the sum of the successful entries based on the following point allocations:
|VMware Workstation Escape||13|
|Target Sandbox Escape||3|
For example, if someone has two successful entries (Google Chrome with a sandbox escape and Microsoft Edge with a SYSTEM escalation), the total points would be 28 points – and that’s in addition to the prize money itself. If two or more contestants have the same number of points at the end of the contest, all of them will receive the ZDI reward points, sharing the Master of Pwn title.
As in previous years, the contest will take place in Vancouver, British Columbia, at the CanSecWest 2016 conference on March 16 and 17. The schedule of contestants and platforms will be determined by random drawing on the first day of the conference and posted on the Trend Micro Simply Security blog prior to the start of competition.
Rules and prizes
The 2016 competition consists of four of the most popular, and most targeted, software platforms in the world. All target machines will be running the latest fully-patched versions of the relevant operating systems (Windows 10 64-bit and OS X “El Capitan”), installed in their default configurations. As in last year’s competition, the exploit must work with Microsoft’s Enhanced Mitigation Experience Toolkit (most current version compatible with the target) protections are enabled.
Mac OS X-based targets:
If the exploit achieves SYSTEM-level code execution or root-level code execution, the contestant will receive an additional $20,000.
As mentioned, the Windows-based targets will be running in a VMware Workstation virtual machine. If anyone manages to escape the VMware Workstation virtual machine and achieves code execution on the host operating system, they’ll receive an additional $75,000. This prize is only eligible on the Windows-based targets listed above.
As always, successful exploitation means you get that amount in a single payment – not ‘up to’ that amount and not paid out in installments.
Now for a few notes from our lawyers. A successful entry in the contest should leverage a vulnerability to modify the standard execution path of a program or process in order to allow the execution of arbitrary instructions. The entry is required to defeat the target’s techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and application sandboxing. The resulting payload should be executing in an elevated context (for example, on Windows-based targets, Medium integrity level or higher).
The vulnerability or vulnerabilities used in each attack must be unknown, unpublished, and not previously reported to the vendor. A particular vulnerability can only be used once across all categories. A successful remote attack against these targets must require no user interaction beyond the action required to browse to the malicious content and must occur within the user’s session with no reboots, or logoff/logons.
The full set of rules for Pwn2Own 2016 is available here. They may be changed at any time without notice. We encourage entrants to read the rules thoroughly if they choose to participate.
Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at firstname.lastname@example.org to begin the registration process. (Email only, please; queries via Twitter, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine contestant order. Registration closes at 5pm Pacific Time on March 14, 2016.
Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors, and the proof of concept will become the property of ZDI in accordance with the ZDI program. If the affected vendors wish to coordinate an onsite transfer at the conference venue, ZDI is able to accommodate that request.
Follow the action
Trend Micro’s Simply Security blog will be updated periodically with blogs and photos between now and the competition, and in real time during the event. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #pwn2own hashtag for continuing coverage.
We look forward to seeing everyone in Vancouver, and let the pwnage commence!