Pwn2Own 2021 hacking contest ends with a three-way tie
The 2021 spring edition of Pwn2Own, the cybersecurity industry's biggest hacking competition, has come to a close today with a three-way tie between Team Devcore, OV, and the duo of security researchers Daan Keuper and Thijs Alkemade.
And the Master of Pwn is.....
— Zero Day Initiative (@thezdi) April 8, 2021
A tie!
Congrats to Team DEVCORE, OV, and Daan Keuper and Thijs Alkemade. All are considered Master of Pwn and receive Platinum status next year. Thanks again to all who participated. It was an amazing contest, & we couldn't have don it without you. pic.twitter.com/IuCbdMCU17
At this edition, security researchers successfully hacked Windows 10, Ubuntu, Safari, Chrome, Zoom, Microsoft Exchange, Microsoft Teams, and Parallels Desktop.
Just like the previous two contests (the Pwn2Own 2020 spring and fall editions), the 2021 Pwn2Own spring edition was held in a virtual format due to the ongoing COVID-19 pandemic that has limited many contestants' traveling operations.
For this edition, Pwn2Own organizers published a list of eligible targets earlier this year, in January. Multiple teams signed up and scheduled 23 hacking sessions against ten different products from the list of predefined targets.
The teams had 15 minutes to run their exploit code and achieve remote code execution inside the targeted app. For each successful exploit, the teams received a monetary award from the contest's sponsors and points towards the overall ranking.
The contest spanned three days and was broadcast on YouTube, Twitch, and Periscope. Recorded sessions for the three contest days are below.
Pwn2Own 2021 spring edition results
The results for each session are below, as provided by the Zero Day Initiative team via their live-updating blog post this week.
Day 1, Tuesday, April 6
Attempt 01 - Jack Dates from RET2 Systems targeting Apple Safari in the Web Browser category
SUCCESS - Jack used an integer overflow in Safari and an OOB Write to get kernel-level code execution. In doing so, he wins $100,000 and 10 Master of Pwn points.
Attempt 02 - DEVCORE targeting Microsoft Exchange in the Server category
SUCCESS - The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. They earn $200,000 and 20 Master of Pwn points.
Attempt 03 - The researcher who goes by OV targeting Microsoft Teams in the Enterprise Communications category
SUCCESS - OV combined a pair of bugs to demonstrate code execution on Microsoft Teams. In doing so, we earns himself $200,000 and 20 points towards Master of Pwn
Attempt 04 - Team Viettel targeting Windows 10 in the Local Escalation of Privilege category
SUCCESS - The team used an integer overflow in Windows 10 to escalate from a regular user to SYSTEM privileges. This earns them $40,000 and 4 points towards Master of Pwn.
Attempt 05 - The STAR Labs team of Billy, Calvin and Ramdhan targeting Parallels Desktop in the Virtualization category
FAILURE - The STAR Labs team could not get their exploit to work within the time allotted.
Attempt 06 - Ryota Shiga of Flatt Security Inc targeting Ubuntu Desktop in the Local Escalation of Privilege category
SUCCESS - Ryota used an OOB access bug to go from a standard user to root on Ubuntu Desktop. He earns $30,000 and 3 Master of Pwn points in his Pwn2Own debut.
Attempt 07 - The STAR Labs team of Billy, Calvin and Ramdhan Oracle VirtualBox in the Virtualization category
FAILURE - The STAR Labs team could not get their exploit to work within the time allotted.
Day 2, Wednesday, April 7
Attempt 08 - Jack Dates from RET2 Systems targeting Parallels Desktop in the Virtualization category
SUCCESS - Jack combined three bugs - an uninitialized memory leak, a stack overflow, and an integer overflow to escape Parallels Desktop and execute code on the underlying OS. He earns $40K and 4 more Master of Pwn points. His two day total is now $140,000 and 14 points.
Attempt 09 - Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) targeting Google Chrome and Microsoft Edge (Chromium) in the Web Browser category
SUCCESS - The team used a Typer Mismatch bug to exploit the Chrome renderer and Microsoft Edge. Same exploit for both browsers. They earn $100,000 total and 10 Master of Pwn points.
Attempt 10 - Team Viettel targeting Microsoft Exchange in the Server category
PARTIAL - Team Viettel successfully demonstrated their code execution on the Exchange server, but some of the bugs they used in their exploit chain had been previously reported in the contest. This counts as a partial win but does get them 7.5 Master of Pwn points.
Attempt 11 - Daan Keuper and Thijs Alkemade from Computest targeting Zoom Messenger in the Enterprise Communications category
SUCCESS - Daan Keuper and Thijs Alkemade from Computest used a three bug chain to exploit Zoom messenger and get code execution on the target system - all without the target clicking anything. They earn themselves $200,000 and 20 Master of Pwn points.
Attempt 12 - Tao Yan (@Ga1ois) of Palo Alto Networks targeting Windows 10 in the Local Escalation of Privilege category
SUCCESS - Tao Yan used a Race Condition bug to escalate to SYSTEM on the fully patched Windows 10 machine. He earns himself $40,000 and 4 points towards Master of Pwn.
Attempt 13 - Sunjoo Park (aka grigoritchy) targeting Parallels Desktop in the Virtualization category
SUCCESS - Sunjoo Park (aka grigoritchy) used a logic bug to execute code on the underlying operating system through Parallels Desktop. He wins $40,000 and 4 points towards Master of Pwn.
Attempt 14 - Manfred Paul targeting Ubuntu Desktop in the Local Escalation of Privilege category
SUCCESS - Manfred used an OOB Access bug to escalate to a root user on Ubuntu Desktop. The Pwn2Own veteran earns himself $30,000 and 3 points towards Master of Pwn.
Attempt 15 - The researcher known as z3r09 targeting Windows 10 in the Local Escalation of Privilege category
SUCCESS - z3r09 used an integer overflow to escalate his permissions up to NT Authority\SYSTEM. His impressive display nets him $40,000 and 4 points towards Master of Pwn.
Day 3, Tuesday, April 8
Attempt 16 - Benjamin McBride from L3Harris Trenchant targeting Parallels Desktop in the Virtualization category
SUCCESS - Ben used a memory corruption bug to successfully execute code on the host OS from within Parallels Desktop. He earns $40,000 and 4 Master of Pwn points.
Attempt 17 - Steven Seeley of Source Incite targeting Microsoft Exchange in the Server category
PARTIAL - Although Steven did use two unique bugs in his demonstration, this attempt was a partial win due to the Man-in-the-Middle aspect of the exploit. It's still great research though, and he earns 7.5 Master of Pwn points.
Attempt 18 - The STAR Labs team of Billy targeting Ubuntu Desktop in the Local Escalation of Privilege category
PARTIAL - Although Billy was able to successfuolly escalate privileges to root, the bug he used was known to the vendor and will be patched soon. The demonstration does earn him 2 additional Master of Pwn points.
Attempt 19 - Fabien Perigaud of Synacktiv targeting Windows 10 in the Local Escalation of Privilege category
PARTIAL - Despite the excellent use of ASCII art during his demonstration, it turns out Microsoft was aware of the bug he used. He still earns 2 Master of Pwn points for the partial win.
Attempt 20 - Alisa Esage targeting Parallels Desktop in the Virtualization category
PARTIAL - Despite the great demonstration (replete with ASCII art), the bug used by Alisa had been reported to the ZDI prior to the contest, making this a partial win. It's still great work, and we're thrilled she broke ground as the 1st woman to participate as an independent researcher in Pwn2Own history. Her efforts do result in two points towards Maser of Pwn.
Attempt 21 - Vincent Dehors of Synacktiv targeting Ubuntu Desktop in the Local Escalation of Privilege category
SUCCESS - Despite admitting this was the first exploit he had written for Linux, Vincent had no issues escalating to root through a double free bug. He earns himself $30,000 and 3 Master of Pwn points.
Attempt 22 - Da Lao targeting Parallels Desktop in the Virtualization category
SUCCESS - The researcher known as Da Lao used an OOB Write to successfully complete his guest-to-host escape in Parallels. He earns $40,000 and 4 points towards Master of Pwn.
Attempt 23 - Marcin Wiazowski targeting Windows 10 in the Local Escalation of Privilege category
SUCCESS - Marcin used a Use After Free (UAF) bug to escalate to SYSTEM on Windows 10. He wins himself $40,000 and 4 Master of Pwn points.
Three teams tied
But despite three days of hacking, at the end of the third contest day, three teams were tied for the lead, with 20 points each, the same standing carried over since day 2.
Among the most popular targets this year, we saw Windows 10, Microsoft Exchange, and Parallels Desktop targeted multiple times. Most security experts who watched the contest described the zero-click Zoom exploit as the most impressive hack of this year's competition.
That Zoom zero-click RCE gives me a rash and makes my face itch https://t.co/Sjs8shJdYF
— Ryan Naraine (@ryanaraine) April 9, 2021
However, none of this year's contestants tried to hack the Tesla Model 3 car that was made available to researchers by the automaker. The car was last hacked in 2019.
All security bugs used during the contest have been collected by the contest organizers, Trend Micro's Zero Day Initiative, and have been shared with the software makers, many of which have also sponsored the contest for this very same purpose.
The vendors have 90 days to patch the bugs used in the contest before they are made public on the Zero Day Initiative portal.
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.