The 2021 spring version of Pwn2Possess hacking contest concluded past week on April 8 with a three-way tie in between Team Devcore, OV, and Computest scientists Daan Keuper and Thijs Alkemade.
A total of $1.2 million was awarded for 16 higher-profile exploits in excess of the course of the 3-working day virtual celebration arranged by the Zero Working day Initiative (ZDI).
Targets with profitable attempts involved Zoom, Apple Safari, Microsoft Trade, Microsoft Groups, Parallels Desktop, Windows 10, and Ubuntu Desktop running devices.
Some of the big highlights are as follows —
- Employing an authentication bypass and a local privilege escalation to completely consider about a Microsoft Trade server, for which the Devcore group netted $200,000
- Chaining a pair of bugs to reach code execution in Microsoft Teams, earning researcher OV $200,000
- A zero-click on exploit targeting Zoom that utilized a 3-bug chain to exploit the messenger app and acquire code execution on the focus on process. ($200,000)
- The exploitation of an integer overflow flaw in Safari and an out-of-bounds generate to get kernel-level code execution ($100,000)
- An exploit aimed at the Chrome renderer to hack Google Chrome and Microsoft Edge (Chromium) browsers ($100,000)
- Leveraging use-right after-free of charge, race ailment, and integer overflow bugs in Home windows 10 to escalate from a standard person to Program privileges ($40,000 each and every)
- Combining three flaws — an uninitialized memory leak, a stack overflow, and an integer overflow — to escape Parallels Desktop and execute code on the underlying working procedure ($40,000)
- Exploiting a memory corruption bug to productively execute code on the host working system from in just Parallels Desktop ($40,000)
- The exploitation of out-of-bounds access bug to elevate from a conventional user to root on Ubuntu Desktop ($30,000)
The Zoom vulnerabilities exploited by Daan Keuper and Thijs Alkemade of Computest Security are significantly noteworthy due to the fact the flaws require no interaction of the victim other than currently being a participant on a Zoom phone. What is actually much more, it impacts both Home windows and Mac variations of the app, despite the fact that it truly is not apparent if Android and iOS variations are vulnerable as well.
Technical specifics of the flaws remain unclear as still, and Zoom has a 90-working day window to address the difficulties in advance of they are built general public. We have achieved out to Zoom and we will update the tale if we get a reaction.
In a assertion sharing the findings, the Dutch stability company reported the scientists “ended up then capable to pretty much totally get around the process and accomplish steps these as turning on the camera, turning on the microphone, examining e-mail, checking the monitor and downloading the browser historical past.”
Independent researcher Alisa Esage also made background as the initially female to win Pwn2Very own just after acquiring a bug in virtualization software program Parallels. But she was only awarded a partial win for causes that the situation had been noted to ZDI prior to the occasion.
“I can only take it as a fact that my profitable Pwn2Have participation attracted scrutiny to particular controversial and most likely outdated details in the contest policies,” Esage tweeted, introducing, “In the genuine entire world there is no this sort of factor as an ‘arguable point’. An exploit both breaks the focus on system or not.”