The 2020 spring edition of the Pwn2Own hacking contest has come to an in depth today. This year’s winner is Team Fluoroacetate - made from security researchers Amat Cama and Richard Zhu - who won the competition after accumulating nine points across the two-day competition, which was only enough to increase their dominance and win their fourth tournament during a row.
But this year’s edition was a notable event for an additional reason. While the spring edition of the Pwn2Own hacking contest takes place at the CanSecWest cyber-security conference, held each spring in Vancouver, Canada, this year was different.
Due to the continued coronavirus (COVID-19) outbreak and travel restrictions imposed in many countries round the globe, many security researchers couldn’t attend or weren’t willing to visit Vancouver and potentially put their health in danger.
Instead, this year’s Pwn2Own edition has become the first-ever hacking contest that has been hosted during a virtual setting.
Participants sent exploits to Pwn2Own organizers beforehand , who ran the code during a live stream with all participants present.
During the competition’s two-day schedule, six teams managed to hack apps and operating systems like Windows, macOS, Ubuntu, Safari, Adobe Reader, and Oracle VirtualBox. All bugs exploited during the competition were immediately reported to their respective companies.
The results of the two-day contest are below, broken down per each team’s attempt. The table at the bottom of the article is that the competition’s final ranking.
Manfred Paul of Red Rocket team won $30,000 and three Master of Pwn points by successfully using an improper input validation bug to escalate privileges on a Ubuntu desktop. Paul may be a newcomer to the annual hacking event and accomplished his goal within the very first attempt.
A team from Georgia Tech system program and Security Lab won the utmost amount of $70,000 on the primary day by targeting Apple Safari. They used a six bug chain to pop calc and escalate to root.
Last year’s winning champion team Fluorescence took home $40,000 by leveraging a UAF in Windows to escalate to SYSTEM.
On the second day of the event, Phi Pham Hong from STAR labs targeted Oracle VirtualBox with using an OOB Read for an info leak. He used an uninitialized variable for code execution on the hypervisor. Phi Pham Hong won $40,000 for it.
Synacktiv team of Corentin Bayet and Bruno Pujos did not demonstrate their exploit during which they were alleged to target the VMware Workstation within the virtualization category within the provided time.