On the second day of the Pwn2Own 2019 hacking competition, white hat hackers earned a total of $270,000 for exploits against the Mozilla Firefox and Microsoft Edge web browsers.
Day 2 at Pwn2Own 2019 hacking competition – White hat hackers earned $270,000 for exploits against the Mozilla Firefox and Microsoft Edge browsers.
The security duo Amat Cama and Richard Zhu of team Fluoroacetate earned $50,000 for a Firefox exploit with kernel escalation. The experts chained a just-in-time (JIT) bug and an out-of-bounds write flaw in the Windows kernel.
“They were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website,” reads the post published by the Zero Day Initiative (ZDI). “The effort earned them another $50,000 and five more points towards Master of Pwn.”
AmatCama and Richard Zhu also earned $130,000 and 13 Master of Pwn points for a complex Edge hack that chained a race condition in the kernel to escalate privilege and an out-of-bounds write issue in VMware Workstation to escape the sandbox. The duo demonstrated that an attacker can exploit the bug in the web browser running in a virtual machine to execute arbitrary code on the host operating system.
The two experts already have racked up a total of $340,000 in the first teo days.
The second day of Pwn2Own 2019 sees Niklas Baumstark (@_niklasb) earning $40,000 and 4 Master of Pwn points for a JIT bug in Firefox and a logic flaw that allowed a sandbox escape.
“In a real-world scenario, an attacker could use this to run their code on a target system at the level of the logged-on user. The successful demonstration earned him $40,000 and 4 Master of Pwn points.” continues the post.
The last hack of the day was demonstrated by Arthur Gerkis of Exodus Intelligence that earned $50,000 for a Microsoft Edge exploit with a sandbox escape. The exploit leverages a double-free bug in the render component and a logic bug for bypassing the sandbox.
If you are interested in exploits demonstrated in the first day of the Pwn2Own 2019 read here.
During the first day, participants hacked Apple Safari browser, Oracle VirtualBox and VMware Workstation.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.