Last weekend in China there was a competition Tianfu cupin which, like on Pwn2Own, the best hacking teams competed by cracking popular products. The essence of the competition is to use previously unknown vulnerabilities and with their help take control of the application or device. If the attack succeeds, the researchers receive points, cash prizes, as well as the corresponding reputation, which inevitably follows the victory in such an event.
In fact, the Tianfu Cup is very similar to Pwn2Own and was created precisely after the Chinese government banned local IB researchers from participating in hacking competitions organized abroad in 2018. The first Tianfu Cup competition took place in the fall of 2018, and then researchers successfully hacked applications such as Edge, Chrome, Safari, iOS, Xiaomi, Vivo, VirtualBox and more.
This year, the Tianfu Cup was no less successful for the participants. So, on the first day of the competition, 11 teams planned 32 different hacks at once, the goals of which were Edge, Chrome, Safari, Office 365 and not only. At the end of the day, out of these 13 attacks were successful. Another 7 attempts failed, and in 12 cases, researchers for various reasons were forced to abandon their attempts.
Summing up the first day, the organizers of the competition reported the following successful hacks:
- (3 successful exploits) Microsoft Edge (the old version on the EdgeHTML engine, not the new version of Chromium) (tweet);
- (2 successful exploits) Chrome (tweet);
- (1 successful exploit) Safari (tweet);
- (1 successful exploit) Office 365 (tweet, tweet);
- (2 successful exploits) Adobe PDF Reader (tweet);
- (3 successful exploits) D-Link DIR-878 Router (tweet);
- (1 successful exploit) QEMU-KVM + Ubuntu (tweet, tweet)
As a result, according to the results of the first day, Team 360Vulcan, the former winner of Pwn2Own, was the leader in the number of points.
I’m not at all surprised to see 360Vulcan has an exploit in every category. They are a large team with a lot of skilled people. Also, they always dominate by quantity in pwn contests, they go after everything. (The router bugs don’t pay out enough, I guess, to attract 360) https://t.co/bvn41vIK16
– thaddeus e. grugq (@thegrugq) November 16, 2019
On the second day of the competition, 16 hacking attempts were planned. Only half of them were effective, and in eight cases, the researchers again abandoned their intentions. Of the eight successful attacks, however, only seven reached their goals, and one attack did not work. Seven exploits that worked as expected were intended for:
Unfortunately, on the second day of the competition, Team 360Vulcan members abandoned the attempt to hack iOS, which was also planned last to complete the tournament. In general, participants from different teams failed or refused to hack Edge, Chrome, Safari, Adobe Reader, Oracle VirtualBox, TP-Link and D-Link routers, Windows Server 2019, VMware Workstation and iPhone 11 Pro.
However, Team 360Vulcan still won the competition, earning $ 382,500 for its efforts to hack Microsoft Edge, Microsoft Office 365, qemu + Ubuntu, Adobe PDF Reader, and VMWare Workstation. So, only exploits for VMWare and qemu + Ubuntu brought them $ 200,000 and $ 80,000, respectively.
The runner-up, ddd Team, earned a total of $ 83,750 for exploits targeting Edge, Chrome, Adobe Reader, and D-Link routers.