Three gentlemen earned a total of $162,000 on day one of Pwn2Own. Put another way, Zero Day Initiative (ZDI) paid out $162,000 for three Apple bugs, two Oracle bugs, and three Microsoft bugs as Pwn2Own contestants targeted Microsoft Edge, Apple Safari, and Oracle VirtualBox.

Contestants are allowed three attempts within 30 minutes to demonstrate their exploit. Only three people competed on day one of the 11th annual Pwn2Own contest, being held during the CanSecWest 2018 Conference in Vancouver, British Columbia. The order of contestants attempting pwnage is decided by a drawing.

Up first was Richard Zhu (@fluorescence). He targeted Apple Safari with a sandbox escape, but he wasn’t able to get his exploit chain to work within 30 minutes. Nevertheless, ZDI called the bugs he used “interesting” and purchased the exploits through the ZDI program.

Apparently Zhu wasn’t rattled at all, as he competed immediately again and put the hurt to Microsoft Edge. Within 30 minutes, his first attempt failed; his second attempt almost succeeded, but then the dreaded blue screen of death popped up as his shell started. ZDI noted that Zhu “brought a flair for the dramatic with him.” He succeeded on his third attempt with only one minute and 37 seconds left on the clock.

“In the end, he used two use-after-free (UAF) bugs in the browser and an integer overflow in the kernel to successfully run his code with elevated privileges. The dramatic effort earned him $70,000 and 7 points towards Master of Pwn.”

Niklas Baumstark (@_niklasb) was up next, and he targeted Oracle VirtualBox. ZDI wrote, “Apparently not one for added intrigue, his exploit immediately popped not one, but three different calcs to indicate success. His demonstration qualified as a partial success as he used an Out-of-Bounds (OOB) read and a Time of Check-Time of Use (toctou) to still earn him $27,000 and 3 Master of Pwn points.”

Source link