This year’s event is perhaps the largest in Pwn2Own history, with about 23 separate entries targeting 10 different products, including: Web Browsers, Servers, Virtualization, Local Escalation of Privilege, and the newest category of Enterprise Communications.
Among the targets with successful exploits included Microsoft Exchange, Microsoft Teams, Zoom, Apple Safari, Windows 10, and Ubuntu operating systems. Also, last year event, Pwn2Own 2020 had the Georgia Tech Team hitting a $70,000 bounty by targeting Apple Safari.
How the Major exploits were executed by the hackers
There was a zero-click exploit targeting Zoom which employed a three-bug chain to exploit the app and gain code execution on the target system. And the Zoom vulnerabilities were exploited by Daan Keuper and Thijs Alkemade of Computest Security, which exploits are particularly noteworthy as the flaws required no interaction of the victim other than initiating a Zoom call.
The flaws affects both Windows and Mac versions of the Zoom app, albeit it isn't yet clear if the Android and iOS versions are also vulnerable.
While Tao Yan of Palo Alto Networks targeting Windows 10 in the Local Escalation of Privilege category, used a Race Condition bug to escalate to SYSTEM on the fully patched Windows 10 machine, thereby earning himself a whopping $40,000 and 4 points towards Master of Pwn.
Manfred Paul targeted Ubuntu Desktop in the Local Escalation of Privilege category, using an OOB Access bug to escalate to a root user on Ubuntu Desktop and the Pwn2Own veteran earns himself a $30,000 price money and 3 points towards Master of Pwn.
Alisa Esage, an independent researcher, made history as the first woman to have won Pwn2Own for finding a bug in virtualization software Parallels, albeit she was awarded a partial win because the flaw had already been reported to ZDI prior to the hacking event. You can check here for a more detailed explanation of all the exploits recorded at Pwn2Own 2021.
No comments