Pwn2Own Tokyo 2018 - Day Two Results and Master of Pwn

November 14, 2018 | Dustin Childs

The second and final day of Pwn2Own Tokyo 2018 successfully concluded with an additional $100,000 USD awarded for today’s demonstrations.

Our day began with the Fluoroacetate duo of Amat Cama and Richard Zhu targeting the iPhone X in the browser category. After a stellar first day, they kicked off Day Two in style by combining a JIT bug in the browser along with an Out-Of-Bounds Access to exfiltrate data from the phone. For their demonstration, the data they chose happened to be a deleted picture, which certainly was a surprise to the person in the picture. The research earned them $50,000 and 8 more points towards Master of Pwn.

DAY 2 PROBA 1.00_00_30_03.Still003.jpg

Next up, the MWR Labs team of Georgi Geshev, Fabi Beterke, and Rob Miller also targeted the iPhone X in the browser category. Unfortunately, they couldn’t get their exploit chain to work within the time allotted, resulting in a failed attempt. However, they did have some great research, and we acquired the bugs through our normal ZDI program.


Following that, the Fluoroacetate team returned, this time targeting the web browser on the Xiaomi Mi6. They continued their successful contest by using an integer overflow in the JavaScript engine to exfiltrate a picture from the phone. They earned themselves another $25,000 USD and 6 Master of Pwn points.


The Fluoroacetate team couldn’t keep their momentum going throughout the entire competition, as their last entry fizzled out. They attempted to exploit the baseband on the iPhone X, but could not get their exploit working in the time allotted. Still, five out of six successful demonstrations is pretty remarkable. We’re glad to see these two team up and hope to see more from them in the future.


Our final entry for this year’s event saw the MWR Labs team target the web browser on the Xiaomi Mi6 handset. The team combined a download bug along with a silent app installation to load their custom application and exfiltrate pictures. This earned them another $25,000 USD and 6 additional points toward Master of Pwn.



That closes out Pwn2Own Tokyo for 2018. With 45 points and $215,000 USD total, we’re happy to announce the Fluoroacetate duo of Amat Cama and Richard Zhu have earned the title Master of Pwn!


Overall, we awarded $325,000 USD total over the two day contest purchasing 18 0-day exploits. Onsite vendors have received the details of these bugs and now have 90 days to produce security patches to address the bugs we reported. Once these are made public, stay tuned to this blog for more details about some of the best and most interesting bugs we saw this week.

Until then, you can follow the team for the latest in exploit techniques and security patches. See you at the next event!.