March 23, 2019 at
On the second day of Pawn2Own, an annual hacking competition is in its second day. The competition, which is held in parallel to CanSecWest, shelled out over $270 thousand for exploits to two of the larger browsers at use today.
The big winners of the day was the team called Fluoroacetate which consists of Amat Cama and Richard Zhu. The dynamic duo first hacked Mozilla’s Firefox using a JIT bug in the browser itself and leveraging that with a follow up out-of-bounds write exploit in the Windows kernel. This allowed Fluoroacetate to sucker-punch the system and take it over.
Zero Day Initiative, writing up the day’s results, said that they were actually able to execute code at “SYSTEM level” (emphasis added by ZDI) in a remarkably simple fashion by getting Firefox to visit their specially crafted website. The duo received $50 thousand for their effort, but they were not done yet.
They then managed to exploit Edge in such a way that they were able to take over the host system even though the browser was running in a Virtual Machine. The Edge exploit was highly praised by attendees and the Zero Day Initiative itself. The use of the out-of-bounds bug to escape VMWare was particularly praised by everyone involved with the type confusion kicking off the bug followed by a race conditional in the kernel.
The @fluoroacetate duo does it again. They used a type confusion in #Edge, a race condition in the kernel, then an out-of-bounds write in #VMware to go from a browser in a virtual client to executing code on the host OS. They earn $130K plus 13 Master of Pwn points. pic.twitter.com/mD13kozJLv
— Zero Day Initiative (@thezdi) March 21, 2019
The second exploit not only earned them $130 thousand, but it also saw them awarded 13 Master of Pwn points. This will go a long way to helping the duo to stay top of the rankings and taking their total Pawn2Own 2019 winnings to $340 thousand over the first two days.
However, the impressive hacking duo were not the only people who were receiving plaudits on the second day.
Mozilla’s Firefox was broken a second time that day by hacker Niklas Baumstark. His exploit allowed him to execute system level code on a PC by leveraging a JIT bug in Firefox. This was the second JIT bug found in Firefox on the same day.
ZDI wrote that in a real-world scenario, this could potentially allow an attacker to run admin-level code on a target system. They also note that Niklas was awarded $40 000 for his efforts in spotting this bug and exposing the exploit.
An Exodus Intelligence researcher by the name of Arthur Gerkis was the final contestant and making his debut in the Pawn2Own competition. He promptly wasted no time introducing himself to the world of bug finding by exploiting a double free bug in the Edge renderer. He followed this up with a logic bug that escaped the sandbox setting according to ZDI.
The researcher was awarded for his efforts for $50 thousand. Day 3 of the competition will focus on the automotive category, with a Tesla Model 3 being not only the prize but also the target of the participants. This will round out the competition for this year. All bugs are then sent out to the companies that they concern, with the hope that they will be patched in future updates.
Aside from browsers and the new automotive category, Pawn2Own also includes enterprise app, server-side and virtualization categories. Day 2 ended with 9 bugs found in total, and ZDI is hoping for more creativity and impressive showings for the last day of the competition.