The Corona Virus pandemic has resulted in the closure or postponing of many international events and functions all over the world. One such event is the Pwn2Own 2020 that was supposed to happen in Vancouver, a seaport city in Canada. The event got canceled to control the spread of the virus and to prevent healthy people from getting infected. But nothing could stop the hackathon from happening.
Instead of conducting the hackathon in Vancouver, the organizers, Zero Day Initiative (ZDI) hosted the entire event online via software called Zoom. White-Hat Hackers around the world participated in this hacking contest. Brian Gorenc of ZDI had announced a month earlier that the event will be held virtually on his live blogging page. He also said that the researchers that will be running the attempts will be doing so from their office in Austin, Texas. The researchers will be communicating with the contestants via phone or video call.
The Pwn2Own 2020 competition consisted of 2 days (19 & 20 March 2020) of intensive hacking that consisted of competitors trying to get into the targeted systems by hook or by crook. The competition began with the Georgia Tech Systems Software and Security Lab that consisted of Yong Hwi Jin, Jungwon Lim, and Insu Yun. the trio of Georgia Tech targeted the Apple Browser Safari with a macOS Kernel Escalation privilege. The team combined together with 6 unique bugs starting with JIT (Just-In-Time) vulnerability and TOCTOU/race condition to escape the sandbox and pop a root shell. The team also managed to disable the System Integrity Protection (SIP) on the device to demonstrate that they achieved kernel-level code execution. Their combined efforts and hard work with a step by step and smooth demonstration of how their bug operated won them $70,000 and 7 points towards the Master of Pwn title.
One of the Pwn2Own veterans, Phi Pham Hong of Star Labs, which targeted the Oracle Virtual Box. The bug took all 3 attempts for a successful infiltration and helped him earn $40,000 dollars and an addition of 4 points towards the Master Of Pwn title. Another official entry of Pwn2Own 2020 was the team Synacktiv that consisted of Corentin Bayet and Bruno Pujos. The duo team Synacktiv targeted the VMwareWorkstation with a guest-to-host escape. Unfortunately, the bug created by the team couldn’t demonstrate its capabilities in the given amount of time.
However, upon closer scrutiny by the ZDI team, it is observed that the bug was valid and purchased it through their ZDI program. The competition also consisted of a special feature that showed ZDI’s Lucas Leong demonstrating a Guest-to-Host escape in Oracle Virtual Box. The bug that Lucas created, it is managed to leverage an out-of-bounds read for an information leak and a use-after-free code execution. The whole procedure was captured and put up on Youtube free of cost.
Pwn2Own 2020 Results
The Pwn2Own results weren’t surprising at all as the previous year champions, Richard Zhu and Amat Cama yet again bagged the Master of Pwn Trophy. The Fluoroacetate, as the duo likes to call themselves, won the ethical hacking competition by demonstrating how a pair of use-after-free bugs in Adobe Reader and the Windows Kernel that could be used to take access over the target machine. The duo bagged the first place while Georgia Tech Systems Software and Security Lab team came second. In addition to the trophy, both the winners were also awarded custom pwn2own hockey jerseys and 65,000 ZDI points that gave them Platinum Status.
The Pwn2Own rules elaborately explain the eligibility of the participants that are allowed to take part in the Pwn2Own ethical hacking competition. The rules also state that the competition is open to all the registrants of the CanSecWest Security Expo.
The event was signed off with a special thanks to all those people who made the event a (virtual) reality. Companies like Microsoft Security Response Center, Adobe, Apple, and Canonical helped ZDI in disclosure and also helped in organizing and setting up Zoom meetings.
Although the Corona pandemic prevented the teams and organizers to meet in Vancouver as planned, they created a virtual space to help participants to display their work. Another advantage of going virtual is the ability of other participants and researchers who are not able to attend the competition due to visa and travel limitations, to join the convention to gain and share knowledge among one another.