Pwn2Own is a hacking contest held annually at the CanSecWest security conference in Vancouver Canada, where hackers as contestants try to exploit popular software and mobile operating systems with previously unknown vulnerabilities, and this years event was sponsored by VMware, Microsoft and Tesla.
While the most impressive exploit was wrought by Fluoroacetate team - they opened Edge browser via a VMWare workstation leveraging an exploit to take down the underlying Windows host, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape, for which was awarded a prize money of $130,000.
The Fluoroacetate team comprising the duo of Richard Zhu and Amat Cama was also able to successfully exploit Apple’s Safari by bypassing the sandbox feature using integer overflow and heap overflow in a brute force technique, which earned them a $55,000 reward.
And lastly for the team, they targeted the Firefox web browser by exploiting the JIT bug, which was closely followed by an out-of-bounds rewrite in the Windows kernel and ended up winning additional $50,000.
In the course of the event, the Phoenhex & Qwerty team were able to take down Safari browser through kernel elevation privileges, by triggering a JIT bug on their website and then exploited a Time-of-Check-Time-of-Use (TOCTOU) bug. Apple, however is aware of the bugs, but still considered it a partial win, for which the team earned a $45,000 price money.
The three days event, saw numerous software and operating systems put to test by a dedicated team of hackers and security researchers, with the team from Fluoroacetate haven earned a whopping $375,000 and the deserving title of Master of Pwn for 2019.