Pwn2Own Tokyo 2019 – Day One Results

November 06, 2019 | Dustin Childs

The first day of Pwn2Own Tokyo 2019 has come to a close, and some amazing research was demonstrated throughout the day. In total, we awarded $195,000 for 12 total bugs. The day saw nine successful attempts against seven targets in five categories.

Our day began with Fluoroacetate (Amat Cama and Richard Zhu) targeting the Sony X800G television. This was the first attempt against a television in Pwn2Own history, but it took no time for the Pwn2Own veterans to get a bind shell due to a JavaScript out-of-bounds (OOB) Read in the embedded web browser. Their first successful exploit of the contest earned them $15,000 USD and 2 points toward Master of Pwn.

Next up, Pwn2Own newcomers Pedro Ribeiro and Radek Domanski of Team Flashback targeted the LAN interface of the NETGEAR Nighthawk Smart WiFi Router (R6700). The Router category is new for this year’s event, and several entrants decided to test their skills against the ubiquitous devices. Pedro and Radek had no problems leading the way by using a stack-based buffer overflow to get a shell on the router. Their first foray into the Pwn2Own world earned them $5,000 and .5 Master of Pwn points.

Pedro Ribeiro and Radek Domanski of Team Flashback

Pedro Ribeiro and Radek Domanski of Team Flashback

In a day full of firsts, the Fluoroacetate duo returned for our first ever attempt in the Home Automation category. They chose the Amazon Echo Show 5 for their target, and with the device in an RF enclosure to ensure no outside interference, they used an integer overflow in JavaScript to compromise the device and take control. This exploit earned them $60,000 and 6 Master of Pwn points.

ZDI’s Abdul-Aziz Hariri and Richard Zhu of Fluoroacetate

ZDI’s Abdul-Aziz Hariri and Richard Zhu of Fluoroacetate

Richard and Amat returned to the television category, this time targeting the Samsung Q60. Although their first attempt failed, their second attempt was able to use an integer overflow in JavaScript to get a reverse shell from the television. The successful demonstration earned the team another $15,000 and 2 Master of Pwn points.

Amat Cama and Richard Zhu of Fluoroacetate

Amat Cama and Richard Zhu of Fluoroacetate

The Fluoroacetate team returned, this time targeting the first handset of the competition – the Xiaomi Mi9. This time, they used a JavaScript bug that jumped the stack to exfiltrate a picture from the Xiaomi Mi9. Once patched, this should prove to be an interesting write-up. They earned $20,000 USD and 2 additional Master of Pwn points for their efforts.

Showing the exfiltrated picture

Showing the exfiltrated picture

Next, the Flashback duo of Pedro Ribeiro and Radek Domanski targeted the WAN interface of the NETGEAR Nighthawk Smart WiFi Router (R6700) in the Router category. Although the attempt took some time due to the device starting up, they were able to remotely modify the router's firmware such that their payload persisted across a factory reset. That’s pretty much the definition of persistence. They earned $20,000 and 1 more Master of Pwn point for their successful demonstration.

Richard Zhu and Amat Cama of Fluoroacetate

Richard Zhu and Amat Cama of Fluoroacetate

In their final attempt of the day, Pedro Ribeiro and Radek Domanski targeted the LAN interface of the TP-Link AC1750 Smart WiFi router. They used a total of three different bugs – starting with a command injection vulnerability – to get their code executed on the target. They earned themselves another $5,000 and .5 Master of Pwn points. That brings their total winnings on the first day of their first Pwn2Own to $30,000. Not a bad first day.

ZDI’s Abdul-Aziz Hariri and Jasiel Spelman observe Pedro Ribeiro and Radek Domanski of Team Flashback

ZDI’s Abdul-Aziz Hariri and Jasiel Spelman observe Pedro Ribeiro and Radek Domanski of Team Flashback

The team from F-Secure Labs - Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro – were up next also targeting the TP-Link AC1750 Smart WiFi router. Although they had a successful demonstration (complete with synchronized lights on the router), the exploit used some of the same bugs as a previous contestant. It still qualified as a partial win, but no Master of Pwn points were awarded. It was still a great demonstration – especially the “Vegas lights” on the router.

Mark Barnes, Max Van Amerongen, and James Loureiro of F-Secure Labs)

Mark Barnes, Max Van Amerongen, and James Loureiro of F-Secure Labs)

In their final attempt for Day One, the Fluoroacetate team of Richard Zhu and Amat Cama returned to target the Samsung Galaxy S10 via the NFC component. They used a bug in JavaScript JIT followed by a Use After Free (UAF) to escape the sandbox and grab a picture off the phone. All it took was a tap. Their final entry for Day One earns them $30,000 and 3 Master of Pwn points. That puts their day one total at $145,000. They also have a commanding lead on Master of Pwn with 15 total points.

ZDI’s Jasiel Spelman and Richard Zhu of Fluoroacetate

ZDI’s Jasiel Spelman and Richard Zhu of Fluoroacetate

The final event of the day saw the F-Secure Labs crew return to target the Xiaomi Mi9 handset in the Web Browser category. They had a partial success. Their demonstration was successful thanks to a couple of chained logic bugs. However, one of the bugs was known to the vendor. That’s makes it a partial win, but the team still receives $15,000 and 2 Master of Pwn points.

That wraps up the first day of Pwn2Own Tokyo 2019. We’ve seen some exciting research and set quite a few “firsts” for our contest: first television, first router, and first home automation. Tomorrow looks to be just as exciting, with both baseband attempts occurring first thing in the morning. As with today, we’ll be live updating the blog with results as they occur.

Stay tuned to our Twitter feed and this blog for tomorrow's results as we wrap up Pwn2Own Tokyo 2019.