Pwn2Own 2021 - Security researchers hack Exchange, Teams, Zoom, Safari, Chrome, Edge, Parallels, Windows, Ubuntu

Reading time icon 6 min. read


Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more

pwn2own 2021

Pwn2Own is back again, and once again the hacking contest has managed to destroy our illusions that there is such a thing as a secure software product.

Competing for $1.5 million in prizes, by Day 2 of the 3 day event the teams have already secured a collective $1.06 million and appear to have had success on nearly every platform they attempted.

This year the security researchers were targeting 10 different products in the categories of Web Browsers, Virtualization, Servers, Local Escalation of Privilege, and – our newest category – Enterprise Communications.

The record of successful attempts so far include:

Tuesday, April 6

1000 – Jack Dates from RET2 Systems targeting Apple Safari in the Web Browser category

SUCCESS – Jack used an integer overflow in Safari and an OOB Write to get kernel-level code execution. In doing so, he wins $100,000 and 10 Master of Pwn points.

1130 – DEVCORE targeting Microsoft Exchange in the Server category

SUCCESS – The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. They earn $200,000 and 20 Master of Pwn points.

1300 – The researcher who goes by OV targeting Microsoft Teams in the Enterprise Communications category

SUCCESS – OV combined a pair of bugs to demonstrate code execution on Microsoft Teams. In doing so, he earns himself $200,000 and 20 points towards Master of Pwn

1430 – Team Viettel targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS – The team used an integer overflow in Windows 10 to escalate from a regular user to SYSTEM privileges. This earns them $40,000 and 4 points towards Master of Pwn.

1630 – Ryota Shiga of Flatt Security Inc targeting Ubuntu Desktop in the Local Escalation of Privilege category

SUCCESS – Ryota used an OOB access bug to go from a standard user to root on Ubuntu Desktop. He earns $30,000 and 3 Master of Pwn points in his Pwn2Own debut.

Wednesday, April 7

0900 – Jack Dates from RET2 Systems targeting Parallels Desktop in the Virtualization category

SUCCESS – Jack combined three bugs – an uninitialized memory leak, a stack overflow, and an integer overflow to escape Parallels Desktop and execute code on the underlying OS. He earns $40K and 4 more Master of Pwn points. His two day total is now $140,000 and 14 points.

1000 – Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) targeting Google Chrome and Microsoft Edge (Chromium) in the Web Browser category

SUCCESS – The team used a Typer Mismatch bug to exploit the Chrome renderer and Microsoft Edge. Same exploit for both browsers. They earn $100,000 total and 10 Master of Pwn points.

1130 – Team Viettel targeting Microsoft Exchange in the Server category

PARTIAL – Team Viettel successfully demonstrated their code execution on the Exchange server, but some of the bugs they used in their exploit chain had been previously reported in the contest. This counts as a partial win but does get them 7.5 Master of Pwn points.

1300 – Daan Keuper and Thijs Alkemade from Computest targeting Zoom Messenger in the Enterprise Communications category

SUCCESS – Daan Keuper and Thijs Alkemade from Computest used a three bug chain to exploit Zoom messenger and get code execution on the target system – all without the target clicking anything. They earn themselves $200,000 and 20 Master of Pwn points.

1430 – Tao Yan (@Ga1ois) of Palo Alto Networks targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS – Tao Yan used a Race Condition bug to escalate to SYSTEM on the fully patched Windows 10 machine. He earns himself $40,000 and 4 points towards Master of Pwn.

1530 – Sunjoo Park (aka grigoritchy) targeting Parallels Desktop in the Virtualization category

SUCCESS – Sunjoo Park (aka grigoritchy) used a logic bug to execute code on the underlying operating system through Parallels Desktop. He wins $40,000 and 4 points towards Master of Pwn.

1630 – Manfred Paul targeting Ubuntu Desktop in the Local Escalation of Privilege category

SUCCESS – Manfred used an OOB Access bug to escalate to a root user on Ubuntu Desktop. The Pwn2Own veteran earns himself $30,000 and 3 points towards Master of Pwn.

1730 – The researcher known as z3r09 targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS – z3r09 used an integer overflow to escalate his permissions up to NT Authority\SYSTEM. His impressive display nets him $40,000 and 4 points towards Master of Pwn.

Thursday, April 8

0900 – Benjamin McBride from L3Harris Trenchant targeting Parallels Desktop in the Virtualization category

SUCCESS – Ben used a memory corruption bug to successfully execute code on the host OS from within Parallels Desktop. He earns $40,000 and 4 Master of Pwn points.

1000 – Steven Seeley of Source Incite targeting Microsoft Exchange in the Server category

PARTIAL – Although Steven did use two unique bugs in his demonstration, this attempt was a partial win due to the Man-in-the-Middle aspect of the exploit. It’s still great research though, and he earns 7.5 Master of Pwn points.

1130 – The STAR Labs team of Billy targeting Ubuntu Desktop in the Local Escalation of Privilege category

PARTIAL – Although Billy was able to successfully escalate privileges to root, the bug he used was known to the vendor and will be patched soon. The demonstration does earn him 2 additional Master of Pwn points.

1230 – Fabien Perigaud of Synacktiv targeting Windows 10 in the Local Escalation of Privilege category

PARTIAL – Despite the excellent use of ASCII art during his demonstration, it turns out Microsoft was aware of the bug he used. He still earns 2 Master of Pwn points for the partial win.

1330 – Alisa Esage targeting Parallels Desktop in the Virtualization category

PARTIAL – Despite the great demonstration (replete with ASCII art), the bug used by Alisa had been reported to the ZDI prior to the contest, making this a partial win. It’s still great work, and we’re thrilled she broke ground as the 1st woman to participate as an independent researcher in Pwn2Own history. Her efforts do result in two points towards Maser of Pwn.

1430 – Vincent Dehors of Synacktiv targeting Ubuntu Desktop in the Local Escalation of Privilege category

SUCCESS – Despite admiting this was the first exploit he had written for Linux, Vincent had no issues escalating to root through a double free bug. He earns himself $30,000 and 3 Master of Pwn points.

1530 – Da Lao targeting Parallels Desktop in the Virtualization category

SUCCESS – The researcher known as Da Lao used an OOB Write to successfully complete his guest-to-host escape in Parallels. He earns $40,000 and 4 points towards Master of Pwn.

1630 – Marcin Wiazowski targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS – Marcin used a Use After Free (UAF) bug to escalate to SYSTEM on Windows 10. He wins himself $40,000 and 4 Master of Pwn points.

Vendors have 90 days to produce a fix for all vulnerabilities reported.

If you missed the event you can catch up on YouTube, Twitch, and the conference site here.

via BleepingComputer.

More about the topics: pwn2own 2021, security

Leave a Reply

Your email address will not be published. Required fields are marked *