The Pwn2Own 2021 has begun, this year the formula for the popular hacking competition sees the distribution of the participants amongst various locations. The competition’s organizer, Trend Micro’s Zero Day Initiative (ZDI), describes this year’s event as one of the largest in Pwn2Own history, with 23 separate entries targeting 10 different products in the categories of Web Browsers, Virtualization, Servers, Local Escalation of Privilege, and – our newest category – Enterprise Communications. The overall payout pool for Pwn2Own 2021 exceeds $1.5 million in cash and other prizes.
On the first day of the competition, participants earned more than half a million dollars for demonstrating to five working exploits out of seven attempts.
One of the biggest payouts was obtained by the Devcore team that earned $200,000 for taking over a Microsoft Exchange server by chaining authentication bypass and local privilege escalation vulnerabilities. The team also received 20 Master of Pwn points.
“The Devcore team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. They earn $200,000 and 20 Master of Pwn points.” reads the post published by ZDI.
Another researcher who uses the handle OV earned $200,000 for a Microsoft Teams code execution exploit and received 20 Master of Pwn points for his findings.
Then Jack Dates from RET2 Systems chained an integer overflow in Safari and an out-of-bounds Write issue to achieve kernel code execution. He earned $100K and received 10 Master of Pwn points to start the contest off right!
The Team Viettel also earned $40,000 for a local privilege escalation vulnerability in Windows 10, while the white hat hacker Ryota Shiga of Flatt Security earned $30,000 for a privilege escalation vulnerability in Ubuntu Desktop.
There were also two failed attempts, the STAR Labs team of Billy, Calvin and Ramdhan targeting Parallels Desktop in the Virtualization category were not able to get their exploit to work within the time allotted.
The same team failed in targeting Oracle VirtualBox in the Virtualization category because they were not able to get their exploit to work within the time allotted.
At the time of this writing the second day has just begun, with a succes.
This year Tesla is offering up to $600K and a car for hacking a Testa vehicle under the automotive category, but no one has signed up for this category.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Pwn2Own 2021)