Network Security, Vulnerability Management

Pwn2Own contest yields 13 bugs, as virtual format expands talent pool


Research teams at the Pwn2Own 2020 competition successfully exploited 13 software vulnerabilities this past week, including bugs found in products from Adobe, Apple, Microsoft, Oracle and Ubuntu. Participants earned $270,000 over the two-day event -- the first Pwn2Own ever to be held virtually, as a measure to combat the rapid spread of the novel coronavirus.

Richard Zhu and Amat Cama of Fluoroacetate repeated from last year and were once again crowned Masters of Pwn. On day one, the team demonstrated a use-after-free (UAF) bug in Microsoft Windows and exploited it to escalate privileges to SYSTEM. The next day, they paired UAF bugs in Windows and Adobe Reader to once again elevate to SYSTEM.

Other highlights included the chaining of six bugs to produce a macOS kernel escalation of privilege in Apple Safari, another Windows UAF flaw allowing the escalation of privileges to SYSTEM, a local privilege escalation in Ubuntu Desktop, and a two-bug combination in Oracle VirtualBox that enabled code execution on the host OS from the guest OS. Unofficially, the event also featured one additional flaw in VMware Workstation and another in Oracle VirtualBox, although they did not count toward the competition.

The decision to hold Pwn2Own virtually could have implications for future competitions, after organizers found that the move opened up the event to global participants who in previous years may not have been able to join.

Even though number of participants was slightly down from last year, a number of participants said they would not have been able to compete if the competition had been held in person, according to ZDI.

"Going virtual has certainly increased the playing field as far as who can participate," Brian Gorenc, director of vulnerability research and head of the ZDI, told SC Media in an interview. "There are some researchers who would want to participate in the past, but travel restrictions or visa issues have prevented them from being at the contest in person. Going virtual allows us to accommodate those individuals. It's something we're going to consider in future competitions as well."

The virtual format required some key rule and procedural changes. Competitors were asked to send out their exploits prior to the competition. Then ZDI researchers -- based in Austin, Texas rather than at the CanSecWest security conference Vancouver, Canada as originally scheduled -- ran the exploit code while the competitors watched remotely. "They had to trust that we wouldn't alter or adversely impact their research, so it was a big leap of faith on their part," said Gorenc.

"Probably the biggest challenge was making sure we run the contest fairly," Gorenc added. "We pride ourselves on being impartial arbiters. Once we determined how we could adjudicate the contest in a manner that was equitable to researchers, vendors and ZDI alike, we knew we could actually make a virtual competition happen."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.