The 2021 spring version of Pwn2Own hacking contest concluded final week on April 8 with a three-way tie between Crew Devcore, OV, and Computest researchers Daan Keuper and Thijs Alkemade.
A complete of $1.2 million was awarded for 16 high-profile exploits over the course of the three-day digital occasion organized by the Zero Day Initiative (ZDI).
Targets with profitable makes an attempt included Zoom, Apple Safari, Microsoft Trade, Microsoft Groups, Parallels Desktop, Home windows 10, and Ubuntu Desktop working programs.
A number of the main highlights are as follows —
- Utilizing an authentication bypass and a neighborhood privilege escalation to fully take over a Microsoft Trade server, for which the Devcore staff netted $200,000
- Chaining a pair of bugs to attain code execution in Microsoft Groups, incomes researcher OV $200,000
- A zero-click exploit concentrating on Zoom that employed a three-bug chain to use the messenger app and achieve code execution on the goal system. ($200,000)
- The exploitation of an integer overflow flaw in Safari and an out-of-bounds write to get kernel-level code execution ($100,000)
- An exploit aimed on the Chrome renderer to hack Google Chrome and Microsoft Edge (Chromium) browsers ($100,000)
- Leveraging use-after-free, race situation, and integer overflow bugs in Home windows 10 to escalate from an everyday person to SYSTEM privileges ($40,000 every)
- Combining three flaws — an uninitialized reminiscence leak, a stack overflow, and an integer overflow — to flee Parallels Desktop and execute code on the underlying working system ($40,000)
- Exploiting a reminiscence corruption bug to efficiently execute code on the host working system from inside Parallels Desktop ($40,000)
- The exploitation of out-of-bounds entry bug to raise from an ordinary person to root on Ubuntu Desktop ($30,000)
The Zoom vulnerabilities exploited by Daan Keuper and Thijs Alkemade of Computest Safety are significantly noteworthy as a result of the failings require no interplay of the sufferer apart from being a participant on a Zoom name. What’s extra, it impacts each Home windows and Mac variations of the app, though it is not clear if Android and iOS variations are susceptible as effectively.
Technical particulars of the failings stay unclear as but, and Zoom has a 90-day window to handle the problems earlier than they’re made public. We now have reached out to Zoom and we are going to replace the story if we get a response.
In a statement sharing the findings, the Dutch safety agency mentioned the researchers “have been then in a position to virtually fully take over the system and carry out actions akin to turning on the digital camera, turning on the microphone, studying emails, checking the display screen and downloading the browser historical past.”
Unbiased researcher Alisa Esage additionally made historical past as the primary girl to win Pwn2Own after discovering a bug in virtualization software program Parallels. However she was solely awarded a partial win for causes that the problem had been reported to ZDI previous to the occasion.
“I can solely settle for it as a proven fact that my profitable Pwn2Own participation attracted scrutiny to sure controversial and probably outdated factors within the contest guidelines,” Esage tweeted, including, “In the actual world there isn’t a such factor as an ‘controversial level’. An exploit both breaks the goal system or not.”