The first day of Pwn2Own 2021 isn’t dull at all. We’ve seen contestants pulling various bugs in platforms like Microsoft Exchange server, Teams, Ubuntu, Windows 10, macOS, etc. Winners of the first day have earned more than half a million already and will be targeting more software tomorrow like Zoom, Safari, Firefox, Chrome, etc.
Hacking Most Used Software
To the unknown, Pwn2Own is a hacking event held every year, twice since recently, to surface bugs in popular user-facing software. Red teams and independent hackers disclosing the serious bugs will be awarded cash prizes, with the final team/person getting a Tesla Model 3 along with the bounty.
This year’s Pwn2Own has a great start, with teams of various cybersecurity groups hitting popular software like Windows 10, Ubuntu, Microsoft Teams, etc. The Devcore team has won $200,000 cash and 20 Master of Pwn points for achieving RCE access into the Microsoft Exchange server by exploiting two bugs of authentication bypass and a local privilege escalation.
Another group called Team Viettel has earned a $40,000 prize and 4 Master of Pwn points in the Local Escalation of Privilege category by exploiting a bug in the Windows 10 OS that led them to escalate privileges to SYSTEM from being a regular user.
An individual researcher awarded $200,000 and 20 Master of Pwn points after hitting the Microsoft Teams in Enterprise Communications section. He successfully obtained code execution through OV online moniker in the Microsoft Teams software by chaining two bugs.
Other OS like Apple and Linux also had their integrity busted by contestants. Jack Dates from RET2 Systems earned $100,000 after gaining kernel-level code execution in macOS through integer overflow and out-of-bounds write bugs in Safari browser. Ryota Shiga from Flatt Security has hit the Ubuntu Desktop machine with an OOB access bug, thus gaining root access and a $30,000 prize.
These players will be proceeding to the second day with Zoom messenger and popular browsers like Microsoft Edge, Google Chrome, and Mozilla Firefox. And other newbies will try fishing for new vulnerabilities in the Day 1 targets.