Pwn2Own 2017: Experts Hack Edge, Safari, Ubuntu
16.3.2017 securityweek Congress
Bug bounty hunters have managed to hack Microsoft Edge, Safari, Ubuntu and Adobe Reader on the first day of the Pwn2Own 2017 competition taking place these days alongside the CanSecWest conference in Vancouver, Canada.
The prize pool for this year’s event is $1 million and 11 teams have signed up to hack products in four categories. On the first day of the competition, participants earned a total of $233,000 for the exploits they disclosed.
A researcher from Chinese security firm Qihoo360 earned $50,000 for hacking Adobe Reader on Windows. The hacker leveraged remote code execution and information disclosure vulnerabilities in Windows, and a JPEG2000 heap overflow in Reader to complete the task.
Adobe Reader was also cracked by Team Sniper from Tencent Security, which exploited use-after-free and information disclosure flaws to achieve code execution, and a use-after-free in the kernel to obtain SYSTEM-level permissions. The team earned $25,000 for its exploits.
Researchers Samuel Groß and Niklas Baumstark earned $28,000 for hacking Apple’s Safari web browser using a combination of a use-after-free flaw, three logic bugs and a null pointer dereference. Their attempt was only partially successful, but they did earn style points for displaying a special message on the targeted Mac’s touch bar.
The Beijing-based Chaitin Security Research Lab earned $35,000 for gaining root access to a Mac through Safari. The team exploited six flaws, including one information disclosure, four type confusions and a use-after-free.
The same team also successfully hacked Ubuntu Desktop via a heap out-of-bounds access in the Linux kernel, which earned them $15,000. It’s worth noting that this is the first Pwn2Own where participants get rewarded for finding local privilege escalation vulnerabilities.
The highest reward of the first day, $80,000, was earned by Tencent Security’s Team Ether, which managed to hack Microsoft’s Edge browser using an arbitrary write bug in Chakra and a logic bug to escape the sandbox.
Each of these contestants also earned Master of Pwn points, and the researcher or team with the highest total will receive 65,000 ZDI reward points, which are worth roughly $25,000.
Team Ether had signed up to hack Windows as well, but they withdrew the entry. Researcher Ralf-Philipp Weinmann, who targeted Edge, also withdrew his entry. Richard Zhu and Team Sniper failed to hack Safari and Google Chrome, respectively, in the allocated timeframe.