

The Pwn2Own hacking contest wrapped up this week and the big news is that this was the biggest such event ever. The event is run by HP’s Zero Day Initiative (ZDI), and it challenges security researchers to demonstrate flaws in popular consumer and enterprise software platforms. HP analyzes the information disclosed at Pwn2Own to improve the company’s products and research, and also provides the information to the affected vendors to improve the security of the products for end users. In addition to a record event size, an unprecedented $850,000 was paid out to researchers plus additional prizes including the compromised laptops and ZDI rewards points. Among the many to fall were Apple Safari, Mozilla Firefox, Internet Explorer, Adobe Flash and Google Chrome; each had exploits come forward in the event which have since been disclosed to the vendors.
This two-day competition wrapped up on Thursday at the CanSecWest conference at the Sheraton Wall Hotel in Vancouver. Day One and Day Two summaries and results have been posted by HP.
The following vulnerabilities were successfully presented in the Pwn2Own competition:
By Jüri Aedla:
Against Mozilla Firefox, an out-of-bound read/write resulting in code execution.By Mariusz Mlynski:
Against Mozilla Firefox, two vulnerabilities, one allowing privilege escalation within the browser and one bypassing browser security measures.By Team VUPEN:
Against Adobe Flash, a use-after-free with an IE sandbox bypass resulting in code execution.Against Adobe Reader, a heap overflow and PDF sandbox escape, resulting in code execution.
Against Microsoft Internet Explorer, a use-after-free causing object confusion in the broker, resulting in sandbox bypass.
Against Mozilla Firefox, a use-after-free resulting in code execution.
The event is one of the most well-known security contests in the business and the prize money is a big part of that, but there’s also bragging rights, respect from the community and for the vendors, real research on the line. The event brings together hackers and vendors in a fun and interesting challenge that helps further the knowledge of weaknesses and methodologies in the industry today. Pwn2Own is designed to give the security industry an edge over adversaries by encouraging researchers to find and responsibly disclose unknown security vulnerabilities.
HP and Google also introduced a new “Pwn4Fun” category that took place the evening before Pwn2Own, in which HP and Google researchers squared off against each other in the various contest categories. For this sponsors-only contest, prize money awarded for successful exploits were donated to the Canadian Red Cross.
We spoke to manager the manager of the Zero-Day Initiative Brian Gorenc, after day one and the energy of the event was clearly big. Not only were there all these big exploits emerging, but there was a good deal of newer products being introduced at the contest with good variety. That’s what the event is all about, vendors and practitioners coming together, sharing info and product. All towards a better goal, and with these large prizes looming the impact on things like your favorite browser was significant. Each vendor had put together the best product they could, fully patched and ready for the onslaught, so much was learned.
This is a chance for the white hats – ‘good’ hackers – to show their stuff. The prize money just makes it all that more interesting and for the products that get hacked they find out about so much that needs fixing. Nothing is impervious to determined hackers with resources, motivation and time, so this kind of event really helps simulate some of that in a controlled and sharing arena. As a testament to its popularity, Gorenc states that this event had the highest number of entries ever. Teams prepare for months for the event, in pursuit of sizable prizes. For all their efforts though this year there was one untouched challenge. “Exploit Unicorn” worth $150,000 was unassailed for now, the required exploit would need to be characterized as a system-level code execution on Windows 8.1 x64 with other specialized characteristics.
HP has also put out this infographic that covers the various routes a vulnerability can take in white, black and gray markets.
THANK YOU