The Results - Pwn2Own 2017 Day Three
March 17, 2017 | Dustin ChildsOur final day of Pwn2Own 2017 came to a close with some amazing research. The contest had never previously required a 3rd day of competition, but with our largest ever number of registrations, coinciding with our 10th anniversary, extending to include the extra entries proved more than worthwhile. Just today, we awarded $250,000 and 54 Master of Pwn points.
Our day started with the folks from 360 Security (@mj0011sec) attempting a full virtual machine escape through Microsoft Edge. In a first for the Pwn2Own competition, they absolutely succeeded by leveraging a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. These three bugs earned them $105,000 and 27 Master of Pwn points. They won’t say exactly how long the research took them, but the code demonstration needed only 90 seconds.
Next up was Richard Zhu (fluorescence) targeting Microsoft Edge with a SYSTEM-level escalation. Although his first try failed, his second attempt leveraged two separate use-after-free (UAF) bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel. This garnered him $55,000 and 14 points towards Master of Pwn.
The final event for both the day and the contest had Tencent Security - Team Sniper (Keen Lab and PC Mgr) targeting VMWare Workstation (Guest-to-Host), and the event certainly did not end with a whimper. They used a three-bug chain to win the Virtual Machine Escapes (Guest-to-Host) category with a VMWare Workstation exploit. This involved a Windows kernel UAF, a Workstation infoleak, and an uninitialized buffer in Workstation to go guest-to-host. This category ratcheted up the difficulty even further because VMware Tools were not installed in the guest. The win garnered them $100,000 and 13 points for Master of Pwn.
Which of course brings us to the final tallies and crowning of the Master of Pwn. We saw a record 51 bugs come through the program. We paid contestants $833,000 USD in addition to the dozen laptops we handed out to winners. And, we awarded a total of 196 Master of Pwn points. Here’s the breakdown of the top contestants.
| Team | Points |
|---|---|
| 360 Security | 63 |
| Tencent Security - Team Sniper (Keen Lab and PC Mgr) | 60 |
| Chaitin Security Research Lab | 26 |
| Richard Zhu (fluorescence) | 14 |
| Tencent Security - Team Lance | 13 |
| Tencent Security - Team Ether | 10 |
| Samuel Groß and Niklas Baumstark | 9 |
Congratulations to the team from 360 Security (@mj0011sec) on winning Master of Pwn, and congratulations to all of those who participated!
It has been a great contest full of great research. As a reminder, all purchased bugs were privately disclosed to the vendors. We will continue working with them as they develop security patches. Thanks to everyone who helped plan, coordinate, and execute this contest, and thanks to all of those who participated. We’ll see you next year!