Independent researchers collected $267,000 in bug purchases this week at the annual Pwn2Own contest at CanSecWest in Vancouver, after demonstrating vulnerability exploits in Apple (5 bugs), Microsoft (4), Oracle (2), and Mozilla software (1).
Richard Zhu, aka “fluorescence,” emerged as the Master of Pwn, winning the annual content with a total of 12 points. According to an event recap from Trend Micro's Zero Day Initiative, the organizers of Pwn2Own, Zhu successfully leveraged two use-after-free vulnerabilities in the Microsoft Edge browser and an integer overflow in the kernel in order to run code with elevated privileges. Later, he exploited an out-of-bounds write flaw in the Mozilla Firefox browser and an integer overflow in the Windows kernel to achieve an escalation of privileges and earn $120,000 over two days of competition.
Two entrants managed to separately pull off exploits of the Apple Safari browser. The first used a JIT optimization bug in the browser and a macOS logic bug to escape the sandbox, and then a kernel overwrite to execute code with a kernel extension. The other combined a heap buffer underflow in Safari and an uninitialized stack variable in macOS to enable a sandbox escape and code execution.
Another entrant exploited an out-of-bounds read and a time of check-time of use bug in Oracle VirtualBox.
During the competition, each contestant was given three chances to demonstrate their exploits within a 30-minute window. In addition to the bugs that were successfully exploited, ZDI reports there were several more uncovered in failed and withdrawn attempts. Affected vendors have been given 90 days to produce security patches for the reported bugs.