The 2021 spring edition of Pwn2Own[1]
hacking contest concluded last week on April 8 with a three-way tie
between Team Devcore, OV, and Computest researchers Daan Keuper and
Thijs Alkemade.
A total of $1.2 million was awarded for 16 high-profile exploits
over the course of the three-day virtual event organized by the
Zero Day Initiative (ZDI).
Targets with successful attempts included Zoom, Apple Safari,
Microsoft Exchange, Microsoft Teams, Parallels Desktop, Windows 10,
and Ubuntu Desktop operating systems.
Some of the major highlights are as follows —
- Using an authentication bypass and a local privilege escalation
to completely take over a Microsoft Exchange server, for which the
Devcore team netted $200,000 - Chaining a pair of bugs to achieve code execution in Microsoft
Teams, earning researcher OV $200,000 - A zero-click exploit targeting Zoom that employed a three-bug
chain to exploit the messenger app and gain code execution on the
target system. ($200,000) - The exploitation of an integer overflow flaw in Safari and an
out-of-bounds write to get kernel-level code execution
($100,000) - An exploit aimed at the Chrome renderer to hack Google Chrome
and Microsoft Edge (Chromium) browsers ($100,000) - Leveraging use-after-free[2], race condition, and
integer overflow bugs in Windows 10 to escalate from a regular user
to SYSTEM privileges ($40,000 each) - Combining three flaws — an uninitialized memory leak, a stack
overflow, and an integer overflow — to escape Parallels Desktop and
execute code on the underlying operating system ($40,000) - Exploiting a memory corruption bug to successfully execute code
on the host operating system from within Parallels Desktop
($40,000) - The exploitation of out-of-bounds access bug to elevate from a
standard user to root on Ubuntu Desktop ($30,000)
The Zoom vulnerabilities[3]
exploited by Daan Keuper and Thijs Alkemade of Computest Security
are particularly noteworthy because the flaws require no
interaction of the victim other than being a participant on a Zoom
call. What’s more, it affects both Windows and Mac versions of the
app, although it’s not clear if Android and iOS versions are
vulnerable as well.
Technical details of the flaws remain unclear as yet, and Zoom
has a 90-day window to address the issues before they are made
public. We have reached out to Zoom and we will update the story if
we get a response.
In a statement[4]
sharing the findings, the Dutch security firm said the researchers
“were then able to almost completely take over the system and
perform actions such as turning on the camera, turning on the
microphone, reading emails, checking the screen and downloading the
browser history.”
Independent researcher Alisa Esage also made history as the
first woman to win Pwn2Own after finding a bug in virtualization
software Parallels. But she was only awarded a partial win for
reasons that the issue had been reported to ZDI prior to the
event.
“I can only accept it as a fact that my successful Pwn2Own
participation attracted scrutiny to certain arguable and
potentially outdated points in the contest rules,” Esage tweeted[5], adding, “In the real
world there is no such thing as an ‘arguable point’. An exploit
either breaks the target system or not.”
References
- ^
Pwn2Own
(www.zerodayinitiative.com) - ^
use-after-free
(cwe.mitre.org) - ^
Zoom
vulnerabilities (twitter.com) - ^
statement
(www.computest.nl) - ^
tweeted
(twitter.com)