- Local escalation of privileges in Ubuntu Desktop by exploiting a vulnerability in the Linux kernel associated with incorrect verification of input values ββ(prize $30);
- Demonstration of exiting the guest environment in VirtualBox and executing code with hypervisor rights, exploiting two vulnerabilities - the ability to read data from an area outside the allocated buffer and an error when working with uninitialized variables (prize 40 thousand dollars). Outside the competition, representatives of the Zero Day Initiative also demonstrated another VirtualBox hack, which allows access to the host system through manipulations in the guest environment;
- Hacking Safari with elevated privileges to the macOS kernel level and running the calculator as root. For exploitation, a chain of 6 errors was used (prize 70 thousand dollars);
- Two demonstrations of local privilege escalation in Windows through the exploitation of vulnerabilities that lead to access to an already freed memory area (two prizes of 40 thousand dollars each);
- Gaining administrator access in Windows when opening a specially designed PDF document in Adobe Reader. The attack involves vulnerabilities in Acrobat and the Windows kernel related to accessing already freed memory areas (prize of $50).
Nominations for hacking Chrome, Firefox, Edge, Microsoft Hyper-V Client, Microsoft Office and Microsoft Windows RDP remained unclaimed. An attempt was made to hack VMware Workstation, but it was unsuccessful.
Like last year, the prize categories did not include hacks of the majority of open source projects (nginx, OpenSSL, Apache httpd).
Separately, we can note the topic of hacking the information systems of a Tesla car. There were no attempts to hack Tesla at the competition, despite the maximum prize of $700 thousand, but separately
Source: opennet.ru