Due to an outbreak of coronavirus this year, the Pwn2Own contest was not quite ordinary. Under normal circumstances, the event is part of the CanSecWest conference in Canada, but this time many researchers were unable or unwilling to come to Vancouver, thereby putting their health at risk. As a result, the competition took place in a virtual environment: the participants sent their exploits to the organizers Pwn2Own, Zero Day Initiative in advance, and they launched the code during the live broadcast, which was attended by all participants.
For two days of the competition, the teams successfully compromised Windows, macOS, Ubuntu, Safari, Adobe Reader, and Oracle VirtualBox. All bugs identified and used during the contest were immediately brought to the attention of the respective companies.
IN first day of Pwn2Own 2020 researchers earned a total of $ 180,000. So, a team from the Georgia Institute of Technology and Security Lab has successfully executed macOS code through Safari. The exploit chain, which included running the calculator in Safari and escalating privileges to root (by combining six different vulnerabilities), earned them $ 70,000 and 7 Master of Pwn points.
Also on that day, rookie contestant Manfred Paul of the RedRocket CTF team earned $ 30,000 and 3 Master of Pwn points for a local privilege-based exploit aimed at Ubuntu Desktop. His exploit used the improper input problem.
True veterans of Pwn2Own, the Fluoroacetate team, which includes Amat Cama and Richard Zhu, have traditionally shown the class this year. Let me remind you that this team won the last three Pwn2Own competitions (in November and March 2019, as well as November 2018) and currently Kama and Zhu are considered one of the best hackers in the world and the most successful Pwn2Own participants. Last fall, they won a Tesla car at a competition and earned nearly $ 200,000.
On the first day of this spring Pwn2Own Fluoroacetate, they earned $ 40,000 and 4 Master of Pwn points for an exploit of local privilege escalation oriented to Windows 10. Zhu also received an additional $ 40,000 and 4 points in Master of Pwn for another privilege exploit, too oriented to Windows 10.
On the second day the competition, the STAR Labs team received $ 40,000 and 4 Master of Pwn points for successfully demonstrating an exploit for VirtualBox that led to the escape from the guest OS and the execution of arbitrary code on the host. The exploit was related to out-of-bounds reading and the uninitialized variable problem.
Amat Kama and Richard Zhu earned another $ 50,000 and 5 points for Master of Pwn for demonstrating hacking using the use-after-free vulnerabilities in Adobe Reader and the Windows kernel.
Synacktiv team tried to hack VMware Workstation, but their attempt was unsuccessful. At the end of the day, a representative of the Zero Day Initiative held a special demonstration outside the competition: a guest escaping to a host in VirtualBox.
As a result, this time the Fluoroacetate team was again the winner of the contest, and the contestants in total earned $ 270,000.