Reporting on Pwn2Own results always proves to be a popular article and the topic is always interesting with the contest changing a little bit each year. This year’s contest is taking place over yesterday, today, and tomorrow at the CanSecWest 2013 conference. It places bounties on bugs in browsers Chrome, IE, Firefox, and Safari. This year’s twist is also allowing compromises using browser plugins in IE9 on Windows 7 for Adobe Reader XI, Adobe Flash, and Java.
The contest coordinators, HP’s DVLabs, announced yesterday that they would be buying all unique exploits that pre-registered contestants used.
The first contestant to successfully compromise a selected target wins the prizes for the category. Along with the prize money, the contestant will receive the compromised laptop and 20,000 ZDI reward points* which immediately qualifies them for Silver standing.
*Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions over the next calendar year, 25% reward point bonus on all ZDI submissions over the next calendar year and paid travel and registration to attend the 2013 DEFCON Conference in Las Vegas.
The categories for this year’s competition include:
- Web Browser
- Google Chrome on Windows 7 ($100,000)
- Microsoft Internet Explorer, either
- IE 10 on Windows 8 ($100,000), or
- IE 9 on Windows 7 ($75,000)
- Mozilla Firefox on Windows 7 ($60,000)
- Apple Safari on OS X Mountain Lion ($65,000)
- Web Browser Plug-ins using Internet Explorer 9 on Windows 7
- Adobe Reader XI ($70,000)
- Adobe Flash ($70,000)
- Oracle Java ($20,000)
The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win.
For more details on the contest, the full rules are available at the TippingPoint blog.
From the HP community for Pwn2Own 2013 and @thezdi Twitter accounts, yesterdays entries were all successful.
James Forshaw was able to exploit Java.
Joshua Drake also exploited Java.
VUPEN Security, who dominated pretty well last year, pwned IE 10 on a Microsoft Surface Pro running Windows 8.
Chrome was compromised by MWR Labs. (Brief write-up on their blog.)
Vupen Security came around for a second round of whooping to exploit Firefox and Java.
Later today Vupen Security, George Hotz, and Pham Toan will give it a shot at demonstrating Flash, Reader, and Internet Explorer 10 exploits.
Stay tuned to this article here on 404 Tech Support and I’ll update it with new notices throughout the #Pwn2Own competition.
Update: Thursday’s contest resulted in more successful exploits.
@VUPEN just took down Adobe Flash for $70k and a grand total of $250k!
George Hotz exploited Adobe Reader XI
#pwn2own “The first thing I did was break into the sandbox, the next thing I did was break out” -Hotz
@Benmmurphy was able to join those able to exploit Java.