Pwn2Own Vancouver 2019: Day One Results

March 21, 2019 | Dustin Childs

The first day of Pwn2Own Vancouver 2019 is in the books and already, we’ve seen some great research. At the end of the day, we saw 4 successful attempts and one partial win, with contestants earning $240,000 USD in cash awards – plus the laptops used to demonstrate their research. Let’s take a closer look at the day’s events.

The contest started with the team of Fluoroacetate (Amat Cama and Richard Zhu) targeting the Apple Safari web browser. They successfully exploited the browser and escaped the sandbox by using an integer overflow in the browser and a heap overflow to escape the sandbox. The attempt nearly took the entire allowed time because they used a brute force technique during the sandbox escape. The code would fail then try again until it succeeded. The demonstration earned them $55,000 USD and 5 points towards Master of Pwn.  

Richard Zhu and Amat Cama (Team Fluoroacetate) target Apple Safari

The Fluoroacetate duo returned targeting Oracle VirtualBox in the virtualization category. Although their first attempt failed, the second attempt successfully used an integer underflow and a race condition to escalate from the virtual client to pop calc at medium integrity. It wasn’t the race condition that caused their failed first attempt. Their memory leak was working, but their code execution failed. Everything aligned on the second attempt, which earned them $35,000 USD and 3 more Master of Pwn points.

Amat Cama and Richard Zhu (Team Fluoroacetate) demonstrate their Oracle VirtualBox exploits

Next up, Pwn2Own newcomer anhdaden of STAR Labs also targeted Oracle VirtualBox. He also used an integer underflow to escalate from the virtual client to execute his code on the hypervisor at medium integrity. Interestingly, he used a unique integer underflow different than the previously demonstrated underflow. His first foray into Pwn2own netted him $35,000 USD and 3 Master of Pwn points. This also marks the first Vietnamese winner at Pwn2Own. We hope to see more from him in the future.

anhdaden of STAR Labs shows off his successful Oracle VirtualBox demonstration

In their final entry for Day One, the Fluoroacetate duo targeted the VMware Workstation. They leveraged a race condition leading to an Out-Of-Bounds write to go from the virtual client to executing code on the underlying host operating system. They earned $70,000 USD and 7 additional Master of Pwn points. This brings their Day One total to $160,000 and 15 Master of Pwn points.

Richard Zhu and Amat Cama (Fluoroacetate) show off their final success of Day One.

The final entry in Day One saw the phoenhex & qwerty team (@_niklasb  @qwertyoruiopz and @bkth_) targeting Apple Safari with a kernel elevation. They demonstrated a complete system compromise. By browsing to their website, they triggered a JIT bug followed by a heap out-of-bounds (OOB) read – used twice – then pivoted from root to kernel via a Time-of-Check-Time-of-Use (TOCTOU) bug. Unfortunately, it was only a partial win since Apple already know of one of the bugs used in the demo. Still, they earned themselves $45,000 USD and 4 points towards Master of Pwn.

The phoenhex and qwerty team show off their Safari exploit

That wraps up Day One of Pwn2Own Vancouver 2019. In total, we awarded $240,000 USD for some exciting research. Join us tomorrow as even more exploits are demonstrated, and don’t forget the automotive category happening on Friday, March 22. See you then!