Amidst the havoc wreaked by Coronavirus, the annual hacking event Pwn2Own is underway, and for the first time, the contest is being held remotely. At the Pwn2Own first day, several ethical hackers from all over the world participated and demonstrated their capabilities.
Pwn2Own 2020: Day 1
Manfred Paul of RedRocket team won $30,000 and 3 Master of Pwn points by successfully using an improper input validation bug to escalate privileges on a Ubuntu desktop. Paul is a newcomer to the annual hacking event and accomplished his goal in the very first attempt.
Confirmed! Manfred Paul of @redrocket_ctf used an improper input validation bug to escalate privileges on #Ubuntu Desktop. His first foray into #Pwn2Own nets him $30,000 and 3 Master of Pwn points. pic.twitter.com/nzLhyckDN7
— Zero Day Initiative (@thezdi) March 18, 2020
A team from Georgia Tech Systems Software and Security Lab won the maximum amount of $70,000 on the first day by targeting Apple Safari. They used a six bug chain to pop calc and escalate to root.
Last year’s winning champion team Fluorescence took home $40,000 by leveraging a UAF in Windows to escalate to SYSTEM.
Pwn2Own 2020: Day 2
On the second day of the event, Phi Phạm Hồng from STAR labs targeted Oracle Virtualbox with using an OOB Read for an info leak. He used an uninitialized variable for code execution on the hypervisor. Phi Pham Hong won $40,000 for it.
Synacktiv team of Corentin Bayet and Bruno Pujos failed to demonstrate their exploit in which they were supposed to target the VMware Workstation in the virtualization category in the provided time.