Researchers pocket record $400K at Pwn2Own hacking contest's first day

Internet Explorer, Firefox, and Adobe Flash and Reader are the first technologies to fall at the convention; Safari and Chrome are today's targets

Researchers on Wednesday cracked Microsoft's IE11 (Internet Explorer 11), Mozilla's Firefox, and Adobe's Flash and Reader at the Pwn2Own hacking contest, earning $400,000 in prizes, a one-day record for the challenge.

Pwn2Own continues today, when other teams and individual researchers will take their turns trying to break Apple's Safari and Google's Chrome.

[ It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

A team from Vupen, a French vulnerability research firm and seller of zero-day flaws to governments and law enforcement agencies, ended Wednesday $300,000 richer, having hacked Adobe Flash, Adobe Reader, Firefox, and IE11 for a one-day foursome, another record.

Firefox was victimized a total of three times in just over six hours, once by Vupen and then two other times by researchers Mariusz Mlynski and Jri Aedla, with each winner picking up $50,000 for their exploit.

Although Pwn2Own was originally going to offer cash prizes only to the first who hacked each target, the contest organizer, Hewlett-Packard's ZDI (Zero Day Initiative), changed the ground rules on the fly, saying early Wednesday that it would pay for all vulnerabilities used by the contestants.

With that move, ZDI, a bug bounty program that's part of HP's TippingPoint division, said it and co-sponsor Google -- the latter pitched in 25 percent of the prize money -- would end up paying more than $1 million if all 15 entrants, another record, were successful.

Wednesday's efforts were impressive in their own right, with each scheduled target falling to researchers within five minutes. Contestants come to Pwn2Own with zero-day vulnerabilities and exploits in their pockets, and do not find the bugs and craft attack code on-site.

"All the exploits were unique in their own way," said Brian Gorenc, manager of vulnerability research for ZDI, in an interview after the conclusion of Pwn2Own's first day. Gorenc declined to single out the most impressive or elegant exploit. "It was fascinating seeing the different ways that researchers are bypassing sandboxes and the ways they chained multiple vulnerabilities."

A "sandbox" is an anti-exploit technology deployed by some software -- Internet Explorer, Flash and Reader all rely on sandboxes -- that is designed to isolate an application so that if attackers do find a vulnerability in the code, they must circumvent, or "escape" the sandbox, to execute their malicious code on the machine. Sandbox escapes typically require chained exploits of two or more vulnerabilities.

The day's total of $400,000 nearly matched last year's Pwn2Own two-day payout of $480,000.

Vupen kicked off the day by hacking Adobe Reader, winning $75,000 for the feat.

"We've pwnd Adobe Reader XI with a heap overflow + PDF sandbox escape (without relying on a kernel flaw). Exploit reported to Adobe!," Vupen said on its Twitter account.

Next up was IE11 on a notebook running Windows 8.1, Microsoft's most-current operating system. "We've pwnd IE11 on Win 8.1 using a use-after-free combined to an object confusion in the broker to bypass IE sandbox," Vupen announced on Twitter after grabbing $100,000 for the hack.

"Use-after-free" is a term for a type of memory management bug, while "broker" is the label for the part of the sandbox that acts as the supervisor for all protected processes. A flaw in a broker, as Vupen demonstrated, can have catastrophic effects, letting a hacker escape the sandbox and execute attack code.

Vupen also exploited Adobe Flash and Firefox, Mozilla's open-source browser, winning prizes of $75,000 and $50,000, respectively.

Mlynski and Aedla each won $50,000 for hacking Firefox. Gorenc confirmed that the three Firefox attempts exploited different vulnerabilities.

Both Mlynski and Aedla are experienced researchers: Mlynski has reported several Firefox vulnerabilities to that browser's security team, while Aedla earned more than $10,000 in bug bounties by submitting numerous Chrome flaws to Google in 2011 and 2012.

TippingPoint and its ZDI bounty program have sponsored or co-sponsored Pwn2Own since its 2007 inception. After researchers hand over the vulnerabilities they used to hack targets -- and their exploit code -- ZDI confirms the results, then passes the information to the pertinent vendors, which all had representatives on-site, ready to jump on patching.

"I think we hit it out of the park this time," said Gorenc of ZDI, referring to how smoothly Pwn2Own ran Wednesday. "We gave the contestants 30 minutes each, but most of them demonstrated their exploits within minutes, all within five minutes, and then used the remaining time to go to the disclosure room where vendors waited."

Before Pwn2Own kicked off at noon PT Wednesday at CanSecWest -- the Vancouver, British Columbia, security conference that has hosted the contest for the last eight years -- ZDI and Google sponsored a new challenge, dubbed "Pwn4Fun," where the two sponsors raised $82,500 for the Canadian Red Cross by presenting vulnerabilities and exploits of their own.

The Google team cracked Apple's Safari at Pwn4Fun, while ZDI presented a multi-exploit hack of IE11 and disclosed six additional Internet Explorer vulnerabilities that its own researchers had found over the last two weeks, said Gorenc.

Some had taken to Twitter over the last week to criticize Google and ZDI for Pwn4Fun, arguing that because the two teams had "banked" vulnerabilities to use in the charity drive, they were being hypocritical by not immediately informing the vendors -- Apple and Microsoft in this case -- of the bugs.

But Gorenc defended Pwn4Fun. "We made the browsers safer [with Pwn4Fun], and we're excited about that," Gorenc said.

Pwn2Own continues today, with Vupen and several independent researchers slated to tackle Apple's Safari and Google's Chrome, as others take additional attempts at Adobe Flash, Firefox and Internet Explorer.

Among today's scheduled contestants is George Hotz, also known as "geohot," a noted iPhone and Sony PlayStation 3 hacker, who will try his hand at breaking Firefox. Hotz has participated in previous Pwn2Own challenges, including last year's, where he exploited Adobe Reader for a $70,000 prize.

Also yesterday, Google ran its own one-day "Pwnium 4" contest at CanSecWest, pitting researchers against Chrome OS, the browser-based operating system that powers Chromebook laptops. According to a company post on Google+, one researcher successfully exploited Chrome OS on an HP Chromebook 11, winning the notebook and a $150,000 prize.

"We'll be considering partial credit for a second researcher working on the same platform," Google wrote, adding that it would publish a longer recap after CanSecWest concludes on Friday.

ZDI has posted a brief description of the results on its website.

"This is a first for the white hat market," said Gorenc of the first day's total awards of $400,000. "Over two days, we'll probably pay out over a million dollars for responsibly disclosed vulnerabilities. We're excited to do that."

This article, Researchers pocket record $400K at Pwn2Own hacking contest's first day, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+, or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com. See more articles by Gregg Keizer.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

This story, "Researchers pocket record $400K at Pwn2Own hacking contest's first day" was originally published by Computerworld .

Join the discussion
Be the first to comment on this article. Our Commenting Policies