Largest Payout Ever At Pwn2Own 2015
Written by Alex Armstrong   
Monday, 23 March 2015

Finalists in last week's Pwn2Own contest amassed a total of $557,500 in bounty by revealing 21 security vulnerabilities. Mozilla has already updated Firefox 36 to fix three critical bugs.

Pwn2Own is rather an elite event involving just a few teams and individuals who travel to Vancouver to attend CanSecWest with the expectation they will return home with a fistful of dollars, as explained by Nicolas Jupen, formerly with Vupen, who netted $90,00 dollars on Day 1 of Pwn2Own by taking down Adobe Reader and Adobe Flash.

 

Day 1 began with KeenTeam from China exploiting Adobe Flash using a heap overflow remote code execution vulnerability in Flash. The 3-person team then  leveraged a local privilege escalation in the Windows kernel through TrueType fonts, bypassing all defensive measures. They were awarded $60,000 USD for the Flash bug and a bonus of $25,000 for the SYSTEM escalation. They later increased their takings to $130,00 by taking down Adobe Reader with an integer overflow and achieved pool corruption through a different TTF bug which gave them SYSTEM access. 

Also on Day 1, Mariusz Mlynski, a researcher from Poland, was awarded $55,000 when he knocked out Mozilla Firefox in just over half a second through a cross-origin vulnerability followed by privilege escalation which allowed him to execute a logical flaw to escalate to SYSTEM in Windows.

New entrants to the contest 360Vulcan Team won $32,500 for an exploit of 64-bit Microsoft Internet Explorer 11 with an uninitialized memory vulnerability providing them medium-integrity code execution. 

This year's was the 25th contest and it saw the single biggest payout in Pwn2Own history - a total of $110,000 for an exploit that affects both the stable and beta versions of Google Chrome. It leveraged a buffer overflow race condition in Chrome, then used an info leak and race condition in two Windows kernel drivers to get SYSTEM access. It went to South Korean JungHoon Lee, aka lokihardt, who made two further successful exploits.

He was awarded $65,000 for taking out 64-bit Internet Explorer 11 with a time-of-check to time-of-use (TOCTOU) vulnerability allowing for read/write privileges. He evaded all the defensive mechanisms by using a sandbox escape through privileged JavaScript injection, all of which resulted in medium-integrity code execution. 

His final feat was to take out Apple Safari using a use-after-free (UAF) vulnerability in an uninitialized stack pointer in the browser and bypassed the sandbox for code execution. That netted him another $50,000 USD and brought his daily total to $225,000. 

Day 2 started with a rapid exploit of Mozilla Firefox with an out-of-bounds read/write vulnerability leading to medium-integrity code execution by ilxu1a who received $15,00 for the bug he found through static analysis. Later in the day ilxu1a, attempted to exploit Google Chrome, but ran out of time before he could get his code working, as reported in this overview of Day 2's contest.  

 

 

The final numbers for Pwn2Own 2015 are  

 

  • 5 bugs in the Windows operating system
  • 4 bugs in Internet Explorer 11
  • 3 bugs in Mozilla Firefox
  • 3 bugs in Adobe Reader
  • 3 bugs in Adobe Flash
  • 2 bugs in Apple Safari
  • 1 bug in Google Chrome

  • $557,500 USD bounty paid out to researchers

 zerodayinit

 

Banner


Lex Fridman Talks to Gosling, Kernighan and Knuth
27/09/2020

As editor of I Programmer, I'm keen on the history of computer programming and this week I've come across a new resource - a series of podcasts in which Lex Fridman interviews some of the biggest name [ ... ]



Swift System Now Open Source
01/10/2020

Apple's Swift System library for interfacing with system calls and low-level currency types has been made open source, and now supports Linux.


More News

 

square

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Tuesday, 24 March 2015 )