As the second year under Trend Micro’s ownership, the popular hacking event Pwn2Own is celebrating its 10 year anniversary.
The targets this year include VMware Workstation, Microsoft Hyper-V, Google Chrome, Microsoft Edge, Mozilla Firefox, Adobe Flash in Microsoft Edge, and Apple Safari. There are also demonstrations of local Escalation of Privilege bugs against Windows, macOS, and Ubuntu Desktop. Enterprise applications are also being added this year with Adobe Reader, Microsoft Word, Excel, and PowerPoint being include. Another new category is server-side exploits with Apache Web Server on Ubuntu Server as the target.
Day One
Day one got off to a successful start.
- 360 Security targeted Adobe Reader successfully for $50,000.
- Samuel Groß and Niklas Baumstark were partially successful against Apple Safari with an escalation to root on macOS for $28,000.
- Tencent Security – Team Ether successfully exploited Microsoft Edge for $80,000.
- Chaitin Security Research Lab successfully exploited Ubuntu Desktop for $15,000.
- Tencent Security – Team Ether withdrew this attempt against Microsoft Windows.
- Ralf-Philipp Weinmann withdrew from an attempt against Microsoft Edge.
- Tencent Security – Team Sniper failed against Google Chrome within the time limit.
- Tencent Security – Team Sniper succeeded against Adobe Reader for $25,000.
- Chaitin Security Research Lab succeded with an exploit of Apple Safari with an escalation of privilege on macOS for $35,000.
- Richard Zhu failed to exploit Apple Safari within the allotted time.
In total, $233,000 was paid out in Day 1 of Pwn2Own 2017. The one with the most Master of Pwn points at the end of the contest will receive an additional $25,000.
For more details, you can view the Trend Micro day 1 recap and their video below.
Day Two
Day two of Pwn2Own 2017 added a second track to focus on the macOS line.
- 360 Security successfully exploited Adobe Flash with an elevated SYSTEM bug earning $40,000.
- Tencent Security – Team Shield withdrew from an Apple macOS attempt.
- Tencent Security – Team Sniper succeeded against Adobe Flash with a SYSTEM level escalation for $40,000.
- 360 Security succeeded against Apple macOS for $10,000.
- Tencent Security – Lance Team succeeded against Microsoft Edge with a SYSTEM level escalation for $55,000.
- 360 Security succeeded against Apple Safari with escalation to root on macOS for $35,000.
- Tencent Security – Sword Team was disqualified in this attempt for using known bugs against Microsoft Edge.
- Chaitin Security Research Lab succeeded against macOS for $10,000.
- Tencent Security – Lance Team withdrew in this attempt against Windows.
- Tencent Security – Team Sniper was disqualified in this attempt for using known bugs against Apple macOS.
- Tencent Security – Team Shield withdrew in this attempt against Microsoft Edge.
- Moritz Jodeit, Blue Frost Security failed to exploit Mozilla Firefox within the time limit.
- Tencent Security – Team Sniper succeeded against Microsoft Edge with a SYSTEM-level escalation for $55,000.
- Chaitin Security Research Lab succeeded against Mozilla Firefox with a SYSTEM-level escalation for $30,000.
- 360 Security succeeded against Windows for $15,000.
- Tencent Security – Team Sniper succeeded against Apple Safari with escalation to root on macOS for $35,000.
- Tencent Security – Team Sniper succeeded against Windows for $15,000.
For more details, you can view the Trend Micro day 2 recap and their video below.
Day Three
The last day of Pwn2Own 2017 brought three more successful attempts at compromising the targets and over $250,000 being given away.
- 360 Security succeeded against Microsoft Edge with a SYSTEM-level escalation and a virtual machine escape for $105,000.
- Richard Zhu succeeded against Microsoft Edge with a SYSTEM-level escalation for $55,000.
- Tencent Security – Team Sniper succeeded against VMWare Workstation for $100,000.
For more details, you can view the Trend Micro day 3 recap.
360 Security was crowned the Master of Pwn at Pwn2Own 2017 with the most points and earning an extra $25,000 for the title.