Pwn2Own 2018 – Day Two Results and Master of Pwn

March 16, 2018 | Dustin Childs

The second and final day of Pwn2Own 2018 successfully concluded with an additional $105,000 USD and 11 more Master of Pwn points awarded.

The day started with the return of Richard Zhu (fluorescence), this time targeting Mozilla Firefox with a Windows kernel EoP. He eschewed all drama today and successfully popped Mozilla Firefox on his first attempt. He used an out-of-bounds (OOB) write in the browser followed by an integer overflow in the Windows kernel to earn himself another $50,000 and 5 more Master of Pwn points. This brings his event total to $120,000 and a commanding lead for Master of Pwn.

Richard Zhu (fluorescence) works with ZDI researcher Mat Powell to set up his exploit

Next up, Markus Gaasedelen (gaasedelen), Nick Burnett (itszn13), and Patrick Biernat of Ret2 Systems, Inc. targeted Apple Safari with a macOS kernel EoP. After experiencing some unexpected failures, they successfully demonstrated their exploit on the fourth attempt. Unfortunately, the contest rules only allow three attempts, so this counted as a failure. Still, the bugs used were purchased and disclosed to the vendor through the normal ZDI process.

Nick Burnett (left) and Markus Gaasedelen review their exploit during the attempt

The final entry for the day and for the contest saw a team from MWR labs – Alex Plaskett (AlaxJPlaskett), Georgi Geshev (munmap), and Fabi Beterke (pwnfl4k3s) - target Apple Safari with a sandbox escape. They utilized a heap buffer underflow in the browser and an uninitialized stack variable in macOS to escape the sandbox and gain code execution. In doing so, they earned $55,000 and 5 Master of Pwn points.

Alex Plaskett (left), Fabi Beterke (middle), and Georgi Geshev explain their research in the disclosure room

This bring the event to a close, and with it, we’re able to award Richard Zhu (fluorescence) as the Master of Pwn! His entries earned him $120,000 over the two days as he accumulated 12 Master of Pwn points. Richard has participated in previous Pwn2Own contests, and we certainly hope he returns in the future to defend his title.

Richard Zhu (fluorescence) accepts the Master of Pwn trophy and jacket

Here are the final standings for Master of Pwn for Pwn2Own 2018:

And of course, each winner gets to keep the laptop they exploited. They pwned it; they get to own it.

From left to right: Georgi Geshev, Fabi Beterke, Niklas Baumstark , Samuel Groß, Richard Zhu, Alex Plaskett

Overall, we awarded $267,000 over the two-day contest while acquiring five Apple bugs, four Microsoft bugs, two Oracle bugs, and one Mozilla bug. While smaller than some of our previous competitions, the quality of research was still extraordinary and highlights the difficulty in producing fully-functioning exploit for modern browsers and systems. We want to congratulate all those who participated in this year’s event. We also want to thank the multiple people who registered for the contest but needed to withdraw.

Finally, special thanks go out to our partner Microsoft and sponsor VMware. Their involvement was crucial to success of the contest.

Year after year, Pwn2Own serves as an annual assessment of the state of security as we pit the best vendors have to offer against some of the best security researchers in the world. It also reminds us that even though the level of difficulty (thankfully) continues to increase, there are still methods for exploiting the latest and greatest software out there. Vendors now have 90 days to produce security patches to address the bugs we reported. Once these are made public, stay tuned to this blog for more details about some of the best and most interesting bugs we saw this week.

Until then, you can follow the team for the latest in exploit techniques and security patches. See you at the next event!