Pwn2Own Day 1: Researchers Win $282,500 by Hacking Chrome, Flash, Safari
March 18, 2016
Shah Sheikh (1294 articles)

Pwn2Own Day 1: Researchers Win $282,500 by Hacking Chrome, Flash, Safari

During the first day of the Pwn2Own 2016 hacking contest that’s taking place in Vancouver, Canada, hackers took home $282,500 for finding new security flaws in applications such as Adobe Flash, Google Chrome, and Apple Safari.

Leaders after the first day are the 360Vulcan Team (Qihoo 360) after they have demonstrated two successful exploits that pocketed them $132,500.

The first exploit was against Adobe Flash, which leveraged a type confusion bug in Flash, along with a use-after-free vulnerability in the Windows Kernel to run code with SYSTEM privileges on the machine. This pocketed the hackers $80,000.

Their second exploit was against Google Chrome, where they combined four new bugs, two use-after-free vulnerabilities in Flash, one out-of-bounds vulnerability in Chrome, and one use-after-free vulnerability in the Windows Kernel, to execute code on the machine with SYSTEM privileges.

They only received $52,500 for their efforts, because an independent researcher already discovered and reported the Chrome vulnerability to Google prior to the contest.

Researchers can still beat last year’s payout record

Second on Pwn2Own’s rankings is JungHoon Lee (lokihardt), who showcased an exploit against Apple’s Safari browser. As 360Vulcan, Lee chained four bugs together as well. He took advantage of a use-after-free vulnerability in Safari and three other vulnerabilities to escalate his access to the root user, which earned him $60,000.

Tencent Security Team Shield ranked third, after winning $40,000 for an exploit against Apple Safari, after gaining root privileges on the device by exploiting a use-after-free vulnerability in Safari, and another one in an undisclosed privileged process.

Tencent Security Team Sniper also earned $50,000 after attacking Flash with an out-of-bounds vulnerability, also using an infoleak vulnerability and a use-after-free vulnerability in the Windows Kernel to get SYSTEM access on the machine.

Unfortunately, one team failed in their demonstration, and that was Tencent Xuanwu Lab, which tried to leverage a Flash bug in Edge.

Last year’s total payout was of $552,000, and researchers still have a chance of beating the record, this year’s contest allowing hackers to take home a maximum payout of $600,000. There’s only one day left in the contest and you can consult a schedule for Day 2’s presentations here.

Source | Softpedia