This year’s Pwn2Own 2021 hacking contest just goes to show how most of the targets like Windows, Ubuntu, Zoom, Safari, MS Exchange all were hacked.
This year there was a three-way tie between team Devcore, OV, and Computest researchers Daan Keuper and Thijs Alkemade.
A price of $1.2 million was awarded for 16 high-profile exploits during the three-day virtual event organized by Zero Day Initiative.
Major Highlight of Pwn2Own 2021
- Team Devcore received the prize of $200,000 after successfully pulling off to take over Microsoft Exchange server using an authentication bypass and local privilege escalations.
- Researcher OV managed to bag $200,000, for changing a pair of bugs and be able to execute code in Microsoft Teams.
- Zoom target was exploited using a zero-click exploit, which employed three bug chains to the messenger app. This enabled access to code execution on the target system.
- A Safari flaw integer overflow flaw was exploited and an out-of-bounds write to get kernel-level code execution ($100,000)
- Google Chrome and Microsoft Edge browsers were hacked using an exploit to claim a prize of $100,000.
- Windows 10 was scaled up from a regular user to SYSTEM privileges, exploiting the use-after-free, race condition, and integer overflow flaws. This bagged $40000 each.
- $40000 was bagged for escaping Parallels Desktop and executing code, by combining three flaws i.e. an uninitialized memory leak, a stack overflow, and an integer overflow.
- Memory corruption flaw was exploited to execute code on the host operating system from within to fetch a prize of $40,000.
- Out-of-bounds access bug exploited to scale up standard users to root on Ubuntu Desktop. Prize given $30,00.
Daan Keuper and Thijs Alkemade of Computest Security stood out from the rest for exploiting the Zoom vulnerabilities. This is praiseworthy as it required no interaction on the part of the victim while being a participant on a Zoom call. The worst part it affects both Windows and Mac users, though it is not clear if Android and iOS users are also affected.
We’re still confirming the details of the #Zoom exploit with Daan and Thijs, but here’s a better gif of the bug in action.
Confirmed! The duo of Daan Keuper and Thijs Alkemade from Computest used a 3-bug chain to exploit #Zoom messenger with 0 clicks from the target. They win $200,000 and 20 points towards Master of Pwn. #Pwn2Own pic.twitter.com/dLFpH1uq8G
— Zero Day Initiative (@thezdi) April 7, 2021
History was made this year, as Alisa Esage was the only female to win at Pwn2Own. She discovered a bug in virtualization software Parallels. Though she was only awarded a partial amount as the issue was already reported to ZDI prior to the event.