Tianfu Cup 2019 Day 1 – Chinese experts hacked Chrome, Edge, Safari, Office365

Pierluigi Paganini November 17, 2019

The Tianfu Cup 2019 International Cyber ​​Security Competition has started, in two days white hat hackers will attempt to exploit flaws in major software.

The Tianfu Cup 2019 International Cyber ​​Security Competition has started, white hat hackers will attempt to devise working zero-day exploits for popular software.

Each working exploit receives a cash prize and points that are assigned to the team that devised it, like the popular Pwn2Own hacking contest.

Chinese white hat hackers have a long story of success, they won several international hacking contests in the past, but in 2018 the Chinese government prohibited Chinese experts in participating this kind of competition abroad.

Since the decision of the Chinese Government, the TianfuCup was set up for the first time in the fall of 2018. Last year, white hat hackers earned more than $1 million for zero-day exploits disclosed at the Tianfu Cup PWN competition.

According to the organizers, in 2018 hackers earned $1,024,000 for a total of 30 vulnerabilities. Most of the amount of money, $620,000, was paid to a team from cybersecurity firm Qihoo 360. Other participants were teams from universities, Tencent, financial service provider Ant Financial, and independent researchers.

During the Day1 of the Tianfu Cup 2019 contest 13 hacking attempts out of a total of 32 were successful, 13 attempts failed and in 12 cases the researchers abandoned the attempts.

Below the list of successful attempts:

  • Researchers from the ddd @ExpSky and 360vulcan @mj0011sec teams achieved remote code execution and sandbox escape on the version of Microsoft Edge based on the EdgeHTML engine. Each exploit was paid $55,000, the team .(dot) get $10,000 with RCE.
  • Researcher @codecolorist got a partially successful entry on Safari and earned $30,000.
  • 360Vulcan @guhe120 controlled Office365 by downloading an RTF document via Edge. It partially bypassed the #ProtectionView to gain control. The researcher received a bonus of $40,000.
  • The researcher 360Vulcan @Xiaowei__ received the highest bounty in a single exploit in Day1, he devised an exploit on Ubuntu + #qemu- and achieved partial control of the host. He received a bonus of $80,000.

Let’s wait for new success attempts for Day2.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Tianfu Cup, exploit)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment