Pierluigi Paganini March 21, 2019

Pwn2Own 2019 hacking competition is started and participants hacked Apple Safari browser, Oracle VirtualBox and VMware Workstation on the first day.

As you know I always cover results obtained by white hat hackers at hacking competitions, for this reason, today I’ll share with you the results of the first day of the Pwn2Own 2019.

Pwn2Own 2019 is the hacking competition organized by Trend Micro’s Zero Day Initiative (ZDI) that is taking place in Vancouver, Canada, alongside the CanSecWest conference.

This edition includes a novelty, for the first time in its history
participants have been invited to hack a Tesla Model 3, the organization is offering up to $300,000 and a car for.

The overall prize pool is greater than $1 million and participants are very enthusiastic to take part in the competition.

On the first day, they were able to hack into Apple’s Safari web browser and the Oracle VirtualBox and VMware Workstation virtualization products earning a total of $240,000 in cash.

Amat Cama and Richard Zhu of team Fluoroacetate earned $55,000, and 5 points towards Master of Pwn, for an exploit targeting the Safari web browser. The security duo chained an integer overflow in the browser and a heap overflow that allowed them to escape the sandbox. The experts finally used a brute-force technique to escape the sandbox.

“They successfully exploited the browser and escaped the sandbox by using an integer overflow in the browser and a heap overflow to escape the sandbox. The attempt nearly took the entire allowed time because they used a brute force technique during the sandbox escape.” reads the official page of the Pwn2Own 2019 competition.

“The code would fail then try again until it succeeded. The demonstration earned them $55,000 USD and 5 points towards Master of Pwn.”

The same experts also earned $35,000 for hacking Oracle VirtualBox by triggering on the second attempt an integer underflow and a race condition to escalate privileges and execute arbitrary code.

Amat Cama and Richard Zhu also earned $70,000 for escaping a VMware Workstation virtual machine and executing code on the underlying host operating system.

It was a great day for the Fluoroacetate team that earned a total of $160,000 in just one day.

On the first day, another experts of STAR Labs who uses the handle anhdaden earned $35,000 for hacking Oracle VirtualBox by exploiting an integer underflow to escalate privileges and execute code on the underlying host. The integer overflow issue exploited by the expert is differed than the one discovered by Fluoroacetate.

The day one close with the Phoenhex & Qwerty team that earned $45,000 for a complete system compromise via an Apple Safari exploit with a kernel elevation. In order to exploit the flaw, the attackers need to trick victims into visiting a malicious website.

“By browsing to their website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug. Unfortunately, it was only a partial win since Apple already know of one of the bugs used in the demo. Still, they earned themselves $45,000 USD and 4 points towards Master of Pwn.” reads ZDI.

If you want to receive news on the ongoing Pwn2Own 2019 competition stay tuned.

Pierluigi Paganini

(SecurityAffairs – Pwn2Own 2019, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]