Pwn2Own 2020 – Day One Results
March 19, 2020 | Dustin ChildsThe first day of Pwn2Own 2020 wrapped up, and despite its virtual nature, some amazing research was put on display. On the first day of the contest, we awarded $180,000 for 9 bugs across three categories. Every attempt was successful. Here’s a quick recap video of the day’s proceedings:
The day began with Pwn2Own newcomers – a team from Georgia Tech Systems Software & Security Lab (@SSLab_Gatech) consisting of Yong Hwi Jin, Jungwon Lim, and Insu Yun. They were targeting Apple Safari with a macOS kernel escalation of privilege. They chained together six unique bugs starting with a JIT vulnerability and ending with TOCTOU/race condition to escape the sandbox and pop a root shell. They also disabled System Integrity Protection (SIP) on the device to demonstrate that they achieved kernel-level code execution. Their smooth demonstration earned them $70,000 and 7 points towards Master of Pwn.
Figure 1 - Insu Yun of the Georgia Tech SSL Team confirms the root shell on his team’s exploit
Next up, Pwn2Own veteran fluorescence set his sights on Microsoft Windows 10. True to form, his use-after-free (UAF) bug in Windows allowed him to escalate permissions to SYSTEM. He earned $40,000 and 4 Master of Pwn points in the process.
Figure 2 - Richard Zhu observes his successful LPE
Our third attempt of the day saw another Pwn2Own rookie take the field. Manfred Paul of the RedRocket CTF team chose to target the Ubuntu Desktop with a local privilege escalation (LPE) exploit. He leveraged an improper input validation bug in the kernel to go from a standard user to root. His first foray into the world of Pwn2Own earned him $30,000 and 3 points towards Master of Pwn.
Figure 3 - Manfred Paul smiles after escalating to root on Ubuntu Desktop
The first day of Pwn2Own 2020 ended with the returning Fluoroacetate duo of Amat Cama and Richard Zhu ready to defend their Master of Pwn crown. They leveraged a UAF in Windows to escalate from a regular user to SYSTEM. And yes, this was a different UAF than the one used earlier in the day. This final entry of Day One earned them $40,000 and 4 points towards Master of Pwn.
Figure 4 - Amat Cama (top) and Richard Zhu of Fluoroacetate observe their successful attempt
That wraps up the first day of Pwn2Own 2020. Even when we’re physically separated by thousands of miles, we’re brought together by some great research and exploit demonstrations. Join us tomorrow for our second and final day of the contest. As with today, we’ll be Tweeting and updating the blog with results as they occur.
Stay tuned to our Twitter feed and this blog for tomorrow's results as we wrap up this year’s edition of Pwn2Own.