Pwn2Own Vancouver 2019: Day Two Results

March 22, 2019 | Dustin Childs

Day Two of Pwn2Own has come to an end, and the research presented was truly amazing. For Day Two, we awarded $270,000 for a total of nine unique vulnerabilities. Let’s take a look at the details of the bugs demonstrated.

Our day began with the Fluoroacetate duo of Amat Cama and Richard Zhu targeting the Mozilla Firefox web browser. They leveraged a JIT bug in the browser, then used an out-of-bounds write in the Windows kernel to effectively take over the system. They were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website. The effort earned them another $50,000 and five more points towards Master of Pwn.

Richard Zhu and Amat Cama demonstrate their Firefox exploit

The prolific duo returned with perhaps their greatest challenge of the competition. Starting from within a VMware Workstation client, they opened Microsoft Edge and browsed to their specially crafted web page. That’s all it took to go from a browser in a virtual machine client to executing code on the underlying hypervisor. They started with a type confusion bug in the Microsoft Edge browser, then used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation. The masterfully crafted exploit chain earned them $130,000 and 13 Master of Pwn points. They now have a commanding lead with 33 points total. In the two days of the competition, they have racked up a total of $340,000 as a result of their phenomenal work. Tomorrow, they will attempt to cap their week off with a successful demonstration in the automotive category.

The Fluoroacetate duo of Amat Cama and Richard Zhu elevate from a browser to the host OS

The third attempt of the day had Niklas Baumstark (@_niklasb) target the Mozilla Firefox web browser. He used a JIT bug in the browser followed by a logic bug to escape the sandbox. In a real-world scenario, an attacker could use this to run their code on a target system at the level of the logged-on user. The successful demonstration earned him $40,000 and 4 Master of Pwn points.

Niklas Baumstark targets Mozilla Firefox along with a sandbox escape

The final attempt for Day Two had Arthur Gerkis (@ax330d) of Exodus Intelligence targeting Microsoft Edge. Another newcomer to Pwn2Own, he wasted no time by using a double free bug in the renderer followed by a logic bug to bypass the sandbox. His debut entry earned him $50,000 and five points towards Master of Pwn.

Arthur Gerkis of Exodus Intelligence demonstrates his Microsoft Edge exploit

That brings Day Two to a close. We awarded $270,000 for 9 unique bugs today, which brings the two-day total to $510,000. Join us tomorrow as we debut the automotive category with the two final entries of Pwn2Own Vancouver 2019.