Pwn2Own 2017 – Day Two Schedule and Results

With the unprecedented number of contestants and entries, the Zero Day Initiative is dividing today’s schedule into two tracks. The first track will focus on attempts against Microsoft and Adobe products. Track Two focuses on products from Apple and Mozilla. This allows ZDI to get through twice the number of contestants in a single day during our largest ever Pwn2Own. We’re thrilled at the level of participation for the 10th anniversary of Pwn2Own and look forward to awarding over $1,000,000 USD in prizes.

The full schedule for Day Two is below (all times PDT). We will update this schedule with results as they become available.

Day Two - March 16, 2017 – Track A
8:30am – 360 Security (@mj0011sec) targeting Adobe Flash with a SYSTEM-level escalation and a virtual machine escape
SUCCESS: 360 Security (@mj0011sec) successfully exploits Adobe Flash and elevates to SYSTEM using 4 bugs. They did not complete the VMware escape bonus portion, but what they demonstrated constitutes a win and nets them $40,000 and 12 Master of Pwn points.

10:00am – Tencent Security - Team Sniper (Keen Lab and PC Mgr) targeting Adobe Flash with a SYSTEM-level escalation
SUCCESS: Tencent Security – Team Sniper (Keen Lab and PC Mgr) successfully exploits Adobe Flash via a UAF and escalates to SYSTEM with a UAF in the Windows kernel. This earned them $40,000 and 12 points for Master of Pwn.

11:00am – Tencent Security - Lance Team targeting Microsoft Edge with a SYSTEM-level escalation
SUCCESS: Tencent Security – Lance Team successfully exploits Microsoft Edge by using a UAF in Chakra then elevates to SYSTEM by using a UAF in Windows kernel. They earned themselves $55,000 and 13 Master of Pwn points.

1:00pm – Tencent Security - Sword Team targeting Microsoft Edge
DISQUALIFIED: The entry from Tencent Security – Sword Team was disqualified for not using true 0-days. The bugs used were reported earlier in the contest by a separate Tencent team and are known by the vendor.

2:30pm – Tencent Security - Lance Team targeting Microsoft Windows
WITHDRAW: The team has withdrawn this entry from the competition.

3:30pm – Tencent Security - Team Shield (Keen Lab and PC Mgr) targeting Microsoft Edge with a SYSTEM-level escalation
WITHDRAW: The team has withdrawn this entry from the competition.

4:30pm – Tencent Security - Team Sniper (Keen Lab and PC Mgr) targeting Microsoft Edge with a SYSTEM-level escalation
SUCCESS - The Tencent Security - Team Sniper (Keen Lab and PC Mgr) exploits Microsoft Edge with a SYSTEM-level escalation by using a UAF in Chakra and a UAF in the Windows kernel.

5:30pm – 360 Security (@mj0011sec) targeting Microsoft Windows
SUCCESS: The 360 Security (@mj0011sec) successfully exploits Microsoft Windows with an out-of-bounds bug in the Windows kernel. Nets them $15,000 and 4 Master of Pwn points.

7:00pm – Tencent Security - Team Sniper (Keen Lab and PC Mgr) targeting Microsoft Windows
SUCCESS: The folks from Tencent Security - Team Sniper (Keen Lab and PC Mgr) elevated privileges in Microsoft Windows through an integer overflow in the kernel. This final act of Day Two earned them $15,000 and 4 points for Master of Pwn.

Day Two - March 16, 2017 – Track B
9:15am – Tencent Security - Team Shield (Keen Lab and PC Mgr) targeting Apple macOS
WITHDRAW: The team has withdrawn this entry from the competition.

10:45am – 360 Security (@mj0011sec) targeting macOS
SUCCESS: The 360 Security (@mj0011sec) successfully elevates privileges on Apple macOS by using an infoleak and race condition in the kernel. In doing so, they garner $10,000 and 3 more points for Master of Pwn.

11:45am – 360 Security (@mj0011sec) targeting Apple Safari with an escalation to root on macOS
SUCCESS: The 360 Security (@mj0011sec) successfully exploited Apple Safari through an integer overflow and escalated to root using a macOS kernel UAF. This garners them $35,000 and 11 more Master of Pwn points.

2:00pm – Chaitin Security Research Lab (@ChaitinTech) targeting macOS
SUCCESS: The Chaitin Security Research Lab (@ChaitinTech) succeeds in elevating in macOS by using an infoleak and out-of-bounds bug in the macOS kernel. In doing so, they netted another $10,000 and 3 more Master of Pwn points.

3:00pm – Tencent Security - Team Sniper (Keen Lab and PC Mgr) targeting Apple macOS
DISQUALIFIED: This entry from Tencent Security – Team Sniper (Keen Lab and PC Mgr) was disqualified for not using true 0-days. The bugs used were previously known by the vendor.

4:00pm – Moritz Jodeit, Blue Frost Security (@moritzj) targeting Mozilla Firefox
FAILURE: The contestant could not complete their exploit chain within the allotted time.

5:00pm – Chaitin Security Research Lab (@ChaitinTech) targeting Mozilla Firefox with a SYSTEM-level escalation
SUCCESS: The Chaitin Security Research Lab (@ChaitinTech) team finish their Pwn2Own by exploiting Firefox with an integer overflow and escalating privileges through uninitialized buffer in the Windows kernel.

6:00pm Tencent Security - Team Sniper (Keen Lab and PC Mgr) targeting Apple Safari with an escalation to root on macOS
SUCCESS: Tencent Security - Team Sniper (Keen Lab and PC Mgr) exploits Safari with an integer overflow and escalates to root with an out-of-bounds UAF in WindowServer. This nets them $35,000 and 11 points for Master of Pwn.

We’ll update this blog with results as they become available. Follow us on Twitter for the latest information, including a wrap of Day One and the schedule for Day Three.