The Tianfu Cup 2019 International Cyber Security Competition has started, in two days white hat hackers will attempt to exploit flaws in major software.
The Tianfu Cup 2019 International Cyber Security Competition has started, white hat hackers will attempt to devise working zero-day exploits for popular software.
Each working exploit receives a cash prize and points that are assigned to the team that devised it, like the popular Pwn2Own hacking contest.
Chinese white hat hackers have a long story of success, they won several international hacking contests in the past, but in 2018 the Chinese government prohibited Chinese experts in participating this kind of competition abroad.
Since the decision of the Chinese Government, the TianfuCup was set up for the first time in the fall of 2018. Last year, white hat hackers earned more than $1 million for zero-day exploits disclosed at the Tianfu Cup PWN competition.
According to the organizers, in 2018 hackers earned $1,024,000 for a total of 30 vulnerabilities. Most of the amount of money, $620,000, was paid to a team from cybersecurity firm Qihoo 360. Other participants were teams from universities, Tencent, financial service provider Ant Financial, and independent researchers.
During the Day1 of the Tianfu Cup 2019 contest 13 hacking attempts out of a total of 32 were successful, 13 attempts failed and in 12 cases the researchers abandoned the attempts.
Below the list of successful attempts:
Researchers from the ddd @ExpSky and 360vulcan @mj0011sec teams achieved remote code execution and sandbox escape on the version of Microsoft Edge based on the EdgeHTML engine. Each exploit was paid $55,000, the team .(dot) get $10,000 with RCE.
Congrats! All the three Edge exploits are confirmed to be success! Teams ddd @ExpSky and 360vulcan @mj0011sec both achieved RCE + sandbox escape, so each earned $55,000. Team .(dot) get $10,000 with RCE.
Exploit against #Chrome are verified to be effective. Team 0x34567a61 @Xbalien29@leonwxqian and Team ddd @ExpSky got $20,000 in their pockets, respectively. Congrats!
Three teams HAC, team StackLeader @yuzhou6666@ppdonow and team NoTrace Security Lab @NoTrace24657171 controlled #DLink DIR-878 successfully. There will be several other teams working on this target tomorrow. Let’s wait for the bonus result tomorrow.
360Vulcan @guhe120 controlled Office365 by downloading an RTF document via Edge. It partially bypassed the #ProtectionView to gain control. The researcher received a bonus of $40,000.
The researcher 360Vulcan @Xiaowei__ received the highest bounty in a single exploit in Day1, he devised an exploit on Ubuntu + #qemu- and achieved partial control of the host. He received a bonus of $80,000.
The exploit on Ubuntu + #qemu-kvm achieved partially control of the host. A bonus of $80,000 was won by 360Vulcan @Xiaowei__ being the highest bounty for a single exploit in Day 1 #TFC.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Pierluigi Paganini
November 17, 2019
