Posted on April 11, 2021 at 7:25 PM
The Pwn2Own live hacking event kicked off with a bang, as total payouts exceeded $1 million, and producing the competition’s first-ever female victor.
The competition hosted about 23 participants and security researchers, who collectively earned $1,210,000, a record from the total price of $1.5 million. The event was organized by Zero Day Initiative (ZDI) and lasted for three days.
It ended with three security researchers jointly earning the top spot on the leaderboard, having accumulated 20 Master of Pwn points each.
This was the 14th edition of the hacking event, which takes place annually. Interestingly, it featured a new category of the event as enterprise communications was added to server, virtualization, and web browser.
Everyone is a winner
Different vendors volunteered their services and software for participants to hack. While the hackers get rewards for successfully discovering bugs, the vendors benefit by allowing the participants to check for bugs.
When any bug is discovered, they can try to offer patches to the bugs before they are discovered by threat actors.
The vendors can make their software more secure to protect them against the threat actors who would stop at nothing to compromise a system from discovered bugs.
Alisa Esage Shevchenko, the competition’s first-ever female contestant, was among the awardees after netting two Master of Pwn points.
She declared on Twitter that she is “super-hyped” after reaching a personal major goal with the “zero-day Hypervision VM escape exploit.
This will be the second consecutive time the event is taking place in a virtual form. It was originally an in-person event held every year in Canada, but the COVID-19 pandemic has made the organizers to adjust it. The recently concluded event kicked off with eight successive entries.
$200,000 was won by two participants
One of the biggest highlights of the events saw eventual Masters of DEVCORE and Pwn ‘OV’ both earning $200,000 in prizes. The former performed a local privilege escalation and an authentication bypass to take control of the Microsoft Exchange server. The latter was for two-bug chain in Microsoft Teams, which led to code execution.
Additionally, fellow overall winners Thijs Alkemade and Daan Keuper earned the same amount the next day after they deployed a three-bug chain to actualize a zero-click code execution on Zoom messenger.
Niklas Baumstark and Bruno Keith from Dataflow Security were among the 11 successful entries the next day when they exploited the renderer in Chromium-based Microsoft Edge and Google Chrome. Both of them earned $100,000.
The other group, comprising Marcin Wiazowski, Da Lao, and Benjamin McBride of L3Harris Trenchant, earned $40,000 for a memory corruption vulnerability, which led to code execution on Parallels Desktop. The trio also earned four Master of Pwn points each for their work.
Head of ZDI and senior director of bug research at Trend Micro, Brian Gorenc, was asked to choose his favorite exploit. However, he answered, saying it’s difficult to choose between zero-day zoom demonstration and Microsoft Exchange exploit. He added that both of them usually have a massive impact on targets with millions of users.
Vendors are given 90 days to provide patches
The exploit event was streamed live on Twitch and YouTube, and the ZDI blog presented a stage-by-stage account of the exploit.
Vendors who participated in the event have 90 days to provide patches for the reported vulnerabilities before they are exposed to the public.
The Pw2Own Vancouver 2020 was hurriedly moved to virtual form last year after the COVID-19 pandemic broke out. The first-ever virtual format was won by returning champions Richard Zhu and Amat Cama and Richard Zhu of Team Fluoroacetate after they took control of Windows kernel and Adobe reader through a pair of use-after-free vulnerabilities.
There is a high expectation that the in-person format may return following the rollout of the COVID-19 vaccine. However, the organizers stated that they are not sure when it would be possible to return to the old format.
“Our goal is to make the best of what we’re doing in the virtual format and combine it with a physical contest for a hybrid event” they stated.