Pwn2Own Tokyo (Live from Toronto) – Day Three Results and Master of Pwn
November 08, 2020 | Dustin ChildsPwn2Own Tokyo (Live from Toronto) has completed, but not without its fair share of drama and excitement. The third and final day of the competition saw us award $37,500 for 6 bugs across 4 devices. Here’s a quick video recapping the day’s events:
Our day began with the DEVCORE team successfully demonstrating their code execution bug chain on the Western Digital My Cloud Pro Series PR4100 NAS. They used a six-bug chain to get their root shell, but two of these bugs has been previously reported. They still earn $17,500 and 1.5 points towards Master of Pwn.
Figure 1 - Demonstrating the root shell on the Western Digital NAS
Next up, Team Bugscale targeted the LAN interface of the NETGEAR Nighthawk R7800 router. Unfortunately, they could not get their exploit to work within the time allotted.
Figure 2 - Team Bugscale could not get their exploit to work in the time allotted
Following that, Pwn2Own newcomer Gaurav Baruah targeted the Western Digital My Cloud Pro Series PR4100. He was able to demonstrate getting a root shell on the device. However, the bug he used had been previously reported during the contest. He still earns 1 point towards Master of Pwn.
Figure 3 - Gaurav Baruah watches his demonstration gain a root shell
The Viettel Cyber Security team returned for their second attempt of the contest. This time, the Sony X800 smart TV was their focus. They were able to read sensitive files from a fully patched device. However, the bug they used was publicly known. This partial win does result is 1 point towards Master of Pwn.
Figure 4 - Disclosing sensitive files from a Sony smart TV
In the final entry of the contest, the STARLabs team returned to target the Synology DiskStation DS418Play NAS. They combined a race condition and an Out-Of-Bounds (OOB) Read to get a root shell on the device. This successful demonstration earned them $20,000 and 2 Master of Pwn points.
Figure 5 - The STARLabs team observes the ZDI Bug Extraction Crew demonstrate their root shell on the Synology NAS
And thus ends another exciting Pwn2Own event. After counting all the points, Team Flashback, also known as Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro), came out on top and were crowned the Master of Pwn for the event. Congratulations to the duo of researchers. Here’s how the final standings look:
For the entire competition, we award $136,500 for 23 unique bugs across six different devices. As always, vendors have received the details of these bugs, and they now have 120 days to produce security patches to address the issues we reported. Once these are made public, stay tuned to this blog for more details about some of the best and most interesting research we saw this week.
Special Thanks
We wanted to be sure to thank everyone who participated in this year’s competition. There were definitely unique challenges to overcome, but everyone came together to not just make it happen – they made it fabulous. We want to thank the participants for trusting us with their research and allowing us to run each attempt. We want to thank vendors for their support and for dialing in throughout the disclosure process. Their continued involvement in coordinated disclosure and security response processes helps the entire community. Special thanks also go out to our partners Facebook for their continued support before and during the contest.
Our next competition will be in Vancouver, where enterprise applications and tools will be put to the test. We hope to see you there. Until then, you can follow the team for the latest in exploit techniques and security patches.