Zero-day exploits earned hackers $105,000 in total on Thursday during the second day of the Pwn2Own contest in Vancouver, British Columbia.
Packed into a small basement room, a rapt crowd watched as Richard Zhu successfully hacked Firefox and gained control of the target computer to win $50,000 and clinch the overall victory for the competition. That in addition to his wins Wednesday, when he earned $70,000 successfully targeting Microsoft Edge with an exploit that took him almost a week of work to develop.
Zhu, a veteran of the world class Carnegie Mellon University capture the flag (CTF) team as well as previous Pwn2Own competitions, had a particularly memorable run against Microsoft Edge when he debugged his exploit on the fly and on the clock, succeeding on his third and final attempt. It followed a three-strike failure when Zhu opened the contest with an unsuccessful attempt to hack Safari, Apple’s default browser.
“I put a lot of work into each exploit,” Zhu said. “I really want it to work. When it doesn’t work on the target machines that I’ve already tested it on — I bought the exact model machine they use — then I’m at a loss. I’m thinking what to try, should I just rerun the exploit, should I reboot?”
Here’s the jacket and trophy Zhu won alongside $120,000 in prizes:
Zhu chalked the initial failures and dramatics up to address space layout randomization, a defense that adds a layer of volatility to how an operating system stores instructions in memory. It tripped up multiple attackers because the situation is never the exact same as it is during tests. Don’t feel too bad for them, though: Everyone who failed at this year’s Pwn2Own later showed that all their exploits do in fact work. They were all purchased through the traditional bug bounty program associated with the competition, which is organized by Trend Micro’s Zero Day Initiative as part of the CanSecWest conference.
A team from the cybersecurity firm MWR Labs also won $55,000 after it used a heap buffer underflow in Safari and an uninitialized stack variable in macOS to escape the browser’s sandbox and take control of the target computer. Those vulnerabilities function by corrupting memory data and exploiting Windows at the kernel level, respectively.
Today’s competition was dominated by veterans of collegiate CTF, a cybersecurity competition where players solve problems and attack targets. If this year’s Pwn2Own is any evidence, it’s exceptionally strong training for exploit development.
All three are alumni of Rensselaer Polytechnic Institute, an elite engineering school that doesn’t have an official cybersecurity program but has nevertheless been pumping out significant talent in the field over the last several years. The trio are all ex-president of RPIsec, the school’s student-run CTF team that recently won CSAW, the premiere collegiate CTF contest.
Samuel Groß (saelo) and Niklas Baumstark (_niklasb) share a similar path from a European start. The German students, who successfully targeted Safari and Oracle VirtualBox on Monday, compete in CTF contests for Karlsruhe Institute of Technology and recently won the European CSAW. Just like RPI, KIT has no official cybersecurity program but instead has a group of passionate and competitive students who compete at a world class level.
Pwn2Own looked noticeably different this year.
Chinese contestants from major companies had been dominating the contest in recent years, but new regulations from Beijing prohibited them from joining this year’s fray.
In what contest organizers optimistically called a “return to Pwn2Own’s roots,” this year was filled with individual and small teams of students as opposed to the very large and professional Chinese teams that had been competing as recently as last year.
The future of Chinese contestants remains unclear.