The results of the three days of the Pwn2Own 2021 competition, held annually as part of the CanSecWest conference, have been summed up. Like last year, the competition was held virtually and the attacks were demonstrated online. Of the 23 targeted targets, working techniques for exploiting previously unknown vulnerabilities were demonstrated for Ubuntu Desktop, Windows 10, Chrome, Safari, Parallels Desktop, Microsoft Exchange, Microsoft Teams, and Zoom. In all cases, the latest versions of the programs were tested, including all available updates. The total amount of payments was one million two hundred thousand US dollars (the total prize fund was one and a half million dollars).
Three attempts were made to exploit vulnerabilities in Ubuntu Desktop at the competition. The first and second attempts were counted and the attackers managed to demonstrate local privilege escalation through the exploitation of previously unknown vulnerabilities related to buffer overflow and double freeing of memory (which components of the problem are not yet reported, developers are given 90 days to correct errors before revealing data). Premiums of $30 were paid for these vulnerabilities.
The third attempt, made by another team in the local privilege escalation category, was only partially successful - the exploit worked and allowed root access, but the attack was not fully credited, since the bug associated with the vulnerability was already known to Ubuntu developers and an update with a fix was underway. preparation.
A successful attack has also been demonstrated for browsers based on the Chromium engine - Google Chrome and Microsoft Edge. A $100 bounty was paid for creating an exploit that allows you to execute your code when opening a specially designed page in Chrome and Edge (one universal exploit was created for two browsers). The fix is planned to be published in the coming hours, so far it is only known that the vulnerability is present in the process responsible for processing web content (renderer).
Other successful attacks:
- $200 for the Zoom app hack (I managed to execute my code by sending a message to another user, without the need for any action on the part of the recipient). The attack used three vulnerabilities in Zoom and one in the Windows operating system.
- $200 for a Microsoft Exchange hack (authentication bypass and local elevation of privileges on the server to gain administrator rights). Another successful exploit was demonstrated by another team, but the second prize was not paid, as the same bugs had already been exploited by the first team.
- $200 for a Microsoft Teams hack (running code on a server).
- $100K to exploit Apple Safari (integer overflow in Safari and buffer overflow in macOS kernel to bypass sandbox and execute kernel-level code).
- $140 for Parallels Desktop hack (leaving the virtual machine and executing code on the main system). The attack was made through the exploitation of three different vulnerabilities - uninitialized memory leaks, stack overflows and integer overflows.
- Two $40 awards for Parallels Desktop hacks (a logical error and a buffer overflow that allowed code to be executed in an external OS through actions inside a virtual machine).
- Three $40 bonuses for three successful exploits of Windows 10 (integer overflow, access to memory that has already been freed, and a race condition that allowed SYSTEM privileges to be obtained).
Attempts have been made, but not successful, to hack Oracle VirtualBox. Nominations for cracking Firefox, VMware ESXi, Hyper-V client, MS Office 365, MS SharePoint, MS RDP and Adobe Reader remained unclaimed. Also, no one was willing to demonstrate the hacking of the information system of the Tesla car, despite the prize of 600 thousand dollars plus the Tesla Model 3 car.
Source: opennet.ru