Pierluigi Paganini November 19, 2018

Hackers earned more than $1 million for zero-day exploits disclosed at the Tianfu Cup PWN hacking contest that took place on November 16-17 in Chengdu.

Hackers earned more than $1 million for zero-day exploits disclosed at the Tianfu Cup PWN competition that took place on November 16-17 in Chengdu during the Tianfu Cup conference.

According to organizers, hackers earned $1,024,000 for a total of 30 vulnerabilities. Most of the amount of money, $620,000, was paid to a team from cybersecurity firm Qihoo 360. Other participants were teams from universities, Tencent, financial service provider Ant Financial, and independent researchers.

The highest reward is $200,000 that was paid out to participants that presented an iPhone X jailbreak and a remote code execution exploit.

White hat hackers earned a total of $120,000 for two Microsoft Edge exploits that could be exploited by remote attackers to execute arbitrary code.

Hackers also devised two Chrome exploit chains that allowed them to earn a total of $150,000.

Three teams earned $150,000 for Safari vulnerabilities, including $100,000 for a macOS zero-day exploit, organizers also paid $100,000 for hacking VMware Workstation and Fusion.

The VMware flaw could be exploited to execute code on the Workstation host from the guest, the company is working to provide a patch as soon as possible.

The iPhone X exploit leverages a type confusion Just-in-Time (JIT) bug in Safari and a use-after-free vulnerability in the iOS kernel. The organization notified the flaw to Apple and confirmed that hackers will share technical details after Apple will release a fix.

Hackers also demonstrated two Oracle VirtualBox exploit chains that were awarded $120,000.

Participants also earned a total of $80,000 for three Adobe Reader exploits and other $80,000 for a Microsoft Office exploit chain involving a logical bug and a memory corruption vulnerability.

Many other rewards were paid for working exploits for Vivo X23, OPPO R17, and Xiaomi Mi 8 smartphones.

Recently participants to another contest, the Zero Day Initiative’s Pwn2Own Tokyo 2018 earned over $300,000 for disclosing flaws affecting iPhone X, Xiaomi Mi 6 and Samsung Galaxy S9 smartphones.

Pierluigi Paganini

(Security Affairs – Tianfu Cup PWN hacking contest, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]