Pwn2Own 2021 Day 1 – participants earned more than $500k

The Pwn2Own 2021 hacking competition has begun and white hat hackers participants earned more than $500000 on the first day.

The Pwn2Own 2021 has begun, this year the formula for the popular hacking competition sees the distribution of the participants amongst various locations. The competition’s organizer, Trend Micro’s Zero Day Initiative (ZDI), describes this year’s event as one of the largest in Pwn2Own history, with 23 separate entries targeting 10 different products in the categories of Web Browsers, Virtualization, Servers, Local Escalation of Privilege, and – our newest category – Enterprise Communications. The overall payout pool for Pwn2Own 2021 exceeds $1.5 million in cash and other prizes.

On the first day of the competition, participants earned more than half a million dollars for demonstrating to five working exploits out of seven attempts.

One of the biggest payouts was obtained by the Devcore team that earned $200,000 for taking over a Microsoft Exchange server by chaining authentication bypass and local privilege escalation vulnerabilities. The team also received 20 Master of Pwn points.

“The Devcore team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. They earn $200,000 and 20 Master of Pwn points.” reads the post published by ZDI.

Confirmed! The Devcore team used an authentication bypass and a privilege escalation to take over the #Exchange server. They win the full $200,000 and 20 Master of Pwn points.

— Zero Day Initiative (@thezdi) April 6, 2021

Another researcher who uses the handle OV earned $200,000 for a Microsoft Teams code execution exploit and received 20 Master of Pwn points for his findings.

Success! OV was able to demonstrate his exploit of #Microsoft #Teams. They're off to the disclosure room with the details. If confirmed, it will be worth $200,000 USD and 20 Master of Pwn points.

— Zero Day Initiative (@thezdi) April 6, 2021

Then Jack Dates from RET2 Systems chained an integer overflow in Safari and an out-of-bounds Write issue to achieve kernel code execution. He earned $100K and received 10 Master of Pwn points to start the contest off right!

The Team Viettel also earned $40,000 for a local privilege escalation vulnerability in Windows 10, while the white hat hacker Ryota Shiga of Flatt Security earned $30,000 for a privilege escalation vulnerability in Ubuntu Desktop.

There were also two failed attempts, the STAR Labs team of Billy, Calvin and Ramdhan targeting Parallels Desktop in the Virtualization category were not able to get their exploit to work within the time allotted.

The same team failed in targeting Oracle VirtualBox in the Virtualization category because they were not able to get their exploit to work within the time allotted.

At the time of this writing the second day has just begun, with a succes.

Wow. @bkth_ and @_niklasb did it. They successfully demonstrated their exploit against #Chrome AND #Edge. Both browsers allowed code exec when hitting their website. They head to the disclosure room to drop the details. #Pwn2Own

— Zero Day Initiative (@thezdi) April 7, 2021

This year Tesla is offering up to $600K and a car for hacking a Testa vehicle under the automotive category, but no one has signed up for this category.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own 2021)

The post Pwn2Own 2021 Day 1 – participants earned more than $500k appeared first on Security Affairs.

Read the full article at