The Pwn2Own hacking contest for spring 2020 is over. This year's winner is the Fluoroacetate team, which consists of security investigators Amat Cama and Richard Zhu. The team, gaining nine points throughout the two-day competition, dominated and won the fourth in the tournament series.
This year's competition is a remarkable event. This is because while the spring version of the Pwn2Own hacking competition is taking place at the Cyber Security Conference CanSecWest held every spring in Vancouver, Canada, this year things were different.
Because of the Coronado pandemic and travel restrictions imposed on many countries around the globe, many security researchers were unable to attend or were unwilling to travel to Vancouver, thinking they might be jeopardizing their health.
Instead, this year's Pwn2Own hacking contest was the first hacking contest to take place in a virtual environment.
Participants sent the privileges to Pwn2Own organizers in advance, who ran the code in a live stream with all participants present.
During the two-day competition, six teams managed to break through applications and Operating Systems such as Windows, MacOS, Ubuntu, Safari, Adobe Reader and Oracle VirtualBox. All errors that were exploited during the competition were immediately reported to their respective companies.
Farm No 1: The team of Yong Hwi Jin (@ jinmo123), Jungwon Lim (@ setuid0x0_) and Japan's Insu Yun (@insu_yun_en) targeted it Apple Safari by scaling down the benefits of the macOS kernel. The operation was successful. The Georgia Tech team exploited six bugs to open the calculator application on MacOS and step up its access rights to root. The team earned $ 70.000 and 7 Master of Pwn points.
Farm No 2: Security researcher Flourescence (Richard Zhu) targeted Microsoft Windows by scaling local privileges. The operation was successful. Veteran of hacking contest Pwn2Own used a use-after-free vulnerability of Windows to escalate privileges. Earn $ 40.000 and 4 Master of Pwn points.
Farm No 3: Manfred Paul of the RedRocket CTF team targeted Ubuntu desktop with escalation of local privileges. The operation was successful. Newcomer to the hacking contest Pwn2Own used an entry validation error to escalate privileges. So he earned $ 30.000 and 3 Master of Pwn points.
Farm No 4: The Fluoracetate team of Amat Cama and Richard Zhu targeted them Microsoft Windows with scaling local privileges. The operation was successful. The winners of Master of Pwn took advantage of a Windows error to violate the SYSTEM. They earned $ 40.000 and 4 Master of Pwn points.
Farm No 5: Phi Phạm Hồng (@ 4nhdaden) of STAR Labs (@starlabs_sg) targeted Oracle VirtualBox in the Virtualization category. The operation was successful. The researcher used an out-of-bounds read error to leak information and an un-prepared variable to execute code in Hypervisor of VirtualBox. Earn $ 40.000 and 4 Master of Pwn points.
Farm No 6: The Fluoracetate team of Amat Cama and Richard Zhu targeted it Adobe Reader by scaling up local Windows privileges. The exploitation was successful. The Fluoroacetate duo used two use-after-free bugs - one in Acrobat and one in the Windows kernel - for scaling privileges and system breaches. The team won $ 50.000 and 5 Master of Pwn points.
Farm No 7: The Synacktiv team of Corentin Bayet (@OnlyTheDuck) and Bruno Pujos (@BrunoPujos) targeted it VMware Workstation in the Virtualization category. The exploitation attempt failed. The team failed to present its exploitation within the required time.