Pwn2Own Tokyo 2019 – Day Two Final Results

The second and final day of Pwn2Own Tokyo 2019 is in the books and much like Day One, some great research was put on display. Today saw six successful attempts against five targets across various categories.

The day began somewhat quietly as Team Fluoroacetate (Amat Cama and Richard Zhu) withdrew their entry targeting the baseband component of the Oppo F11 Pro handset. Instead, they moved straight to the Samsung Galaxy S10 in the same category. Their rogue base station used a stack overflow to push their file onto the target handset. The successful demonstration earned them $50,000 and 5 Master of Pwn points. This is the third year in a row the Samsung handset has been compromised via baseband.

In their penultimate entry of the contest, Richard and Amat turned their attention to the LAN interface of the NETGEAR Nighthawk Smart WiFi Router (R6700). They were able to successfully demonstrate their research, however, the auth bypass they used had also been a part of a previous contestant’s entry. That makes this attempt only a partial win.

Next up, Pedro Ribeiro and Radek Domanski of Team Flashback continued their run on wireless routers by targeting the WAN port of the TP-Link AC1750 Smart WiFi router. The exploit used a stack overflow combined with a logic bug to gain code execution on the device. This earned them $20,000 and one more point towards Master of Pwn. They wrap up their first Pwn2Own with a total of $50,000 for four successful demonstrations. We certainly hope this is just the beginning of a long and prosperous Pwn2Own career.  

The team from F-Secure Labs, Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro, began their second day of the competition by also targeting the WAN interface of the TP-Link AC1750 Smart WiFi router. They combined a command injection bug along with some insecure defaults to gain code execution on the device. They also showed off their LED light skills by having the front of the router play “snake” for us. Style points asides, the successful demonstration earned them $20,000 and one Master of Pwn point.

In their final entry for the contest, the F-Secure Labs team targeted the Xiaomi Mi9 handset via the NFC component. In order to exfiltrate a photo from the phone, they tapped it to their specially crafted NFC tag. That triggered a cross-site scripted (XSS) bug in the NFC component and sent a picture to a different phone they controlled. The effort earned them $30,000 and 3 Master of Pwn points. That brings their contest total to $70,000 and puts them in second place in the Master of Pwn with six total points.

The final entry of the contest put the Fluoroacetate duo targeting the web browser of the Samsung Galaxy S10. They employed an integer overflow along with a UAF for the sandbox escape to exfiltrate a picture off the phone. While their demonstration was successful, it turns out part of their bug chain had been used by a previous contestant. Still, it was great to see the contest come to a close without any failed attempts.

That brings our contest to a close, and with $195,000 and 18.5 points, the Fluoroacetate duo of Richard Zhu and Amat Cama retain their title of Master of Pwn – their third in a row!

Overall, we awarded more than $315,000 USD total over the two-day contest while purchasing 18 different bugs in the various products. Onsite vendors have received the details of these bugs and now have 90 days to produce security patches to address the bugs we reported. Once these are made public, stay tuned to this blog for more details about some of the best and most interesting research we saw this week.

Until then, you can follow the team for the latest in exploit techniques and security patches. See you in Miami.