Skip to content
Naked Security Naked Security

Pwn2Own 2021: Zoom, Teams, Exchange, Chrome and Edge “fully owned”

Two lucky winners scooped $200k for just 20 minutes' work - if you don't count the days, weeks and months of meticulous effort beforehand

The annual Pwn2Own contest features live hacking where top cybersecurity researchers duke it out under time pressure for huge cash prizes.

Their quest: to prove that the exploits they claim to have discovered really do work under real-life conditions.

Indeed, Pwn2Own is a bug bounty program with a twist.

The end result is still responsible disclosure, where the affected vendor gets a chance to fix any flaws before they are made public, but the bug hunters don’t just submit their bug descriptions with a list of instructions for the vendor to follow and investigate.

The competitors are faced with a standardised, patched, vanilla configuration of the system they’re targeting, set up for them on hardware they didn’t choose theselves, and they have just 20 minutes in which to complete their attack during the competition.

That means there is very little time to adjust, adapt, rethink and rewrite code during the timed part of the event itself, so this really is a showcase for meticulous research, scrupulous preparation, careful rehearsal…

…mixed with a dash of je ne sais quoi and a dose of plain old luck.

The “plain old luck” factor exists because the participants do their demonstrations one after another over three days, with the order chosen randomly just before the competition starts.

If two teams show up with the same exploit, and both of those exploits succeed within the allotted time, then the winner isn’t the one who can prove they found it first during their research phase, but the one who just happened to get the earlier demonstration slot in the draw.

Clearly, the earlier the slot you draw, the less likely you are to get scooped by someone else who just happened to have found the same bug as you.

Greetz from Texas

Traditionally, the North American Pwn2Own event has taken place alongside the annual CanSecWest security conference held in Vancouver, Canada, but this year the official host city was Austin, Texas.

For obvious reasons, the actual hacking teams were distributed all over the world, rather than all travelling to meet in one place.

The full results for 2021 can be found on the Pwn2Own blog, including those who tried but failed, or those who tried but didn’t win any money because some part of their exploit chain was already known.

In some cases, competitors lost out because their exploits had been reported to the vendor before the competition by someone else, but not yet publicly disclosed; in other cases, they lost out simply through the bad luck of drawing a later slot in the competition than other participants who had brought along and exploited the same bugs.

We’ve listed the money-winning entries below – note that this year’s prize money totalled a very healthy $1.21 million!

The prize hierarchy looked like this:

  • $200k for code execution on a server or messaging platform
  • $100k for code execution via a browser
  • $40k for breaking out of a virtualised guest OS into the host OS
  • $40k for “getting root” (more properly, SYSTEM) on Windows 10
  • $30k for “getting root” on Linux

In case you are wondering, EoP below is short for elevation of privilege, which means exactly what it says: it doesn’t get you into a system in the first place, but it does gets you up to superpower level once you’re in.

Particpant                    Platform            Pwnership level   Prize
----------------------------  ------------------  ----------------  --------
DEVCORE                       Microsoft Exchange  Server takeover   $200,000
'OV’                          Microsoft Teams     Remote code exec  $200,000
Daan Keuper/Thijs Alkemade    Zoom Messenger      Remote code exec  $200,000
Bruno Keith/Niklas Baumstark  Chrome and Edge     Remote code exec  $100,000
Jack Dates                    Apple Safari        Kernel code exec  $100,000
Jack Dates                    Parallels Desktop   Escape to host     $40,000
Sunjoo Park                   Parallels Desktop   Escape to host     $40,000
Dao Lao                       Parallels Desktop   Escape to host     $40,000
Benajmin McBride              Parallels Desktop   Escape to host     $40,000
Team Viettel                  Windows 10          EoP to SYSTEM      $40,000
Tao Yan                       Windows 10          EoP to SYSTEM      $40,000
'z3r09’                       Windows 10          EoP to SYSTEM      $40,000
Marcin Wiazowski              Windows 10          EoP to SYSTEM      $40,000
Ryota Shiga                   Ubuntu Desktop      EoP to root        $30,000
Manfred Paul                  Ubuntu Desktop      EoP to root        $30,000
Vincent Dehors                Ubuntu Desktop      EoP to root        $30,000
                                                           =================
                                                           TOTAL  $1,210,000

Interestingly, there was a tenth product that was attacked in the competition, but that doesn’t show up in the list above because it remained unpwned within the allotted time: Oracle’s VirtualBox virtualisation software.

See you next year!

Congratulations to everyone who took part…

…and good news for all the rest of us, because all the bugs that were painstakingly uncovered, understood and used in the attacks above – and note that many attacks required a number of different exploits to be unleashed in a specfic sequence – will now all be fixed.

To learn more about vulnerabilities and how attackers chain them together for more devastating results, listen to our Understanding Vulnerabilities podcast below:

LISTEN NOW – UNDERSTANDING VULNERABILITIES

Podcast originally recorded in 2010. You can also listen directly on Soundcloud.


8 Comments

If researchers fail to successfully attack a target in the time allotted, do they still have to report the exploits used? Or can they save them for next year, possibly refining their technique, so that the attack will be successful within 30 minutes next time? Obviously they would not show up to the event if they did not have a working exploit – it’s just that the exploit didn’t succeed within the contest rules.

My reading of the rules is that if you “win” (by successfully hacking your selected target) then you are eligible to claim the relevant prize.

And to claim the prize, you have to hand over all the exploits you used, plus complete documentation, to Trend Micro (which owns ZDI which runs Pwn2Own). By “hand over” I mean “sign over all intellectual property rights.”

Therefore, AFAIK, you don’t have to tell anyone anything if your attack fails. Indeed, if your attack succeeds but you decide to forego the prize, then you don’t have to tell anyone anything, either.

https://www.zerodayinitiative.com/Pwn2OwnVancouver2021Rules.html

PS. The “hacking time” allowed is 20 minutes, not 30 as I originally stated above. (I have now edited the article accordingly.)

Obviously danger constantly lurks. What if a success takes an hour or a week? BFD! It’s still a success. Systems integrity relies on good intentions. We all know there are bad actors, opportunist exploiters including organized crime and nation states willing to pay for a hack. How about 2M for a system hack, say at the Pentagon? I am not advocating this or technology proficient but I can foresee dreadful consequences if a hacker goes rogue. Back in the 1950’s when the precursor to computers processed punch cards and required it’s own building there was on radio a mystery program THE SHADOW that began with the question; “Who knows what evil lurks in the heart of men? The shadow knows.” Nothing new.

It’s easy to visualize such an attack; one which is 100% successful but takes time to succeed. Now that all the major OSs use Random Load Address schemes to obfuscate the load addresses of target processes, it could take a substantial run time to find the target in question. Even more it the attempts were paced to avoid suspicion, clustering log entries, or the attention of intrusion detectors.

We all know that one does not simply rush a hardened site in the hopes of overrunning it. You study it. You probe it. You take the time to make (hopefully) unnoticed weakened points. And after you’ve properly prepared, and make a few weak spots here and there, then you attack at an unexpected time.
Bad actors do follow a good “combat” strategy. That’s why I trust those who perform bug bounties throughout the year over those who show a quick strike during a competition.

That’s a very valid point, and you are not alone in preferring what you might call “continuous disclosure of vulns at the point they are identified as likely to be exploitable” over “store up those vulns and weaponise them to prove that they are more than just a theoretical risk.”

To be clear, few of the successful hacks that are demonstrated at Pwn2Own are “quick strikes” in the sense that the competitor got lucky with a single fortunate jab of a lockpick into the lock. Perhaps the words “carefully planned strikes providing full-and-frank proof of danger amid a moment of high drama” might be a better description :-)

Indeed, many if not most Pwn2Own winning entries these days involve exploit chains that require the competitor to examine and find numerous vulnerable parts of the vendor’s code, so they generally do amount to bug bounty hunting that was conducted “throughout the year”…

…although there are those who criticise Pwn2Own because it encourages researchers who may have discovered bugs throughout the year to hold them back – perhaps for many months – in the hope that they can be turned into a potentially winning entry in Pwn2Own.

Those critics would prefer a world in which bugs are disclosed and patched as soon as they are found, even if they are only considered theoretically exploitable at that point.

Of course, entrants in Pwn2Own can argue that a bounty payout of $100,000 for three bugs that can be combined into a dangerous attack that really works [a] is probably a lot more than they would earn for disclosing each bug as a “here is a potential problem for your bug-fix list” [b] helps focus vendors on prioritising actually dangerous bugs ahead of theoretical ones.

If the intention is to find bugs or vulnerabilities, there shouldn’t have limitations (e.g. time limit). This is not “Iron Chef”.

The Iron Chef metaphor doesn’t work here – if Iron Chef were run this way, the contestants would have as much time as they wanted before showing up to the filming to design the menu, do a few test runs at home and in their own restaurants, finalise the menu for the show, acquire the ingredients, cook the final meal…

…and the 20 minute window would merely be the time during which they served the meal and had it tasted. (The proof part, shall we say, of the pudding.)

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?