Pwn2own’s World Cup once again made an amazing show: Security researchers demonstrated vulnerabilities that lived under realistic conditions, including time pressure, and hijacked nearly everything that was offered to them.
In the past, the hacker was allowed to keep the hijacked device, hence the name Pwn2own: in the colloquial language of the scene, “pwn” refers to a successful acquisition, because it sounds like “private” and “2” corresponds to “two” and “to”. Today, even manufacturers often pay five to six-figure sums to report security holes, and competition followed suit.
Completely kidnapped
The focus this year was on communication platforms such as Microsoft Exchange, Teams and Zoom, for a successful compromise from which the organizer paid $ 200,000 each. There are still 100,000 browser vulnerabilities identified in Safari, Chrome, and Edge.
Another goal was virtual machines: Four ways to exit Parallels’ virtual environment were shown – one of them by Alisa Esage, the only woman in the male-dominated competition.
The organizer offered $ 40,000 for the “escape to the host” exploits. However, it retrospectively underestimated the breakthroughs presented as a partial success because the exploited vulnerabilities were still open, but presumably already known to the manufacturer. Incidentally, Oracle’s VirtualBox was the only product in the competition that went unpunished. [Update 15:30: Das Team Star Labs scheiterte mit seinem Exploit am Zeitlimit.]
More rights
This time, operating systems have dealt with a class of security vulnerabilities that are often underestimated: With privilege escalation exploits, an attacker increases their rights after breaking into the system. With Windows 10, four attackers gained system rights and received $ 30,000 USD for this; On Ubuntu, three hackers got the same amount of root privileges.
All the hacked systems were up to date, especially since they had already received all available security updates. The vulnerabilities described are called zero days (0 days), during which the attacker does not have time to protect himself, for example by installing patches.
For all gaps shown in 0 days Then the participants had to reveal to the organizer how they had achieved their goal. This is Trend Micro’s Zero Day Initiative (ZDI), which will now inform manufacturers so they can fill loopholes with updates.
(Atmosphere)