pwn2own 2019

Earlier this week, Pwn2Own Vancouver 2019 kicked off with participants from all around the world. This year was the first time in the contest’s history to include an automotive category. The event was sponsored by Microsoft, VMware, and Tesla.

Over the course of three days, numerous events were organized that took down various software and operating systems. So, let’s tell you about them one by one along with the prize money for each hack:

Note: Each of these hacks were performed using some particular type of bugs/exploits. You can refer to external resources like Wikipedia to know about them detail.

Safari

The Fluoroacetate team (the duo of Amat Cama and Richard Zhu) was able to successfully exploit Apple’s homegrown browser. The team bypassed the sandbox feature using integer overflow and heap overflow. Their brute force technique earned them a handsome $55,000 reward.

In another event, the phoenhex & qwerty team took down Safari with the help of kernel elevation. They triggered a JIT bug by browsing their website and then tried to exploit a Time-of-Check-Time-of-Use (TOCTOU) bug. As Apple is already aware of one of the bugs, it was considered a partial win. However, the team ended up winning $45,000.

Mozilla Firefox

The Fluoroacetate team also targeted the Firefox web browser by exploiting a JIT bug. It was followed by an out-of-bounds write in the Windows kernel. Lastly, they visited a specially designed site and ended up winning $50,000.

Another attempt to hack Firefox was made by Niklas Baumstark who also used JIT bug and logic bug to fool the sandbox. He was awarded $40,000 prize money.

Microsoft Edge

In case you’re wondering, Fluoroacetate didn’t spare Microsoft’s Edge browser. They opened Edge via a VMWare workstation and used an exploit to take down the underlying Windows host. This win earned them a massive prize money of $130,000.

Edge was further targeted by Arthur Gerkis of Exodus Intelligence, who used a double free bug followed by a logic bug to avoid the sandbox. He won a $50,000 prize money.

Tesla

Last but not least, Tesla became the ultimate target of the prolific Fluoroacetate duo. They hacked a Tesla Model 3 by exploiting a JIT bug, and used its web browser to display their message. They earned $35,000 in prize money as well as that Tesla Model 3.

It’s worth noting that the Fluoroacetate team also dominated the Pwn2Own Tokyo in the past. Over the course of three days, they earned $375,000 and the deserving title of Master of Pwn for 2019.

Regarding the exploits and bugs showcased at the event, all the details will be provided to the onsite companies to help them release their patches. After 90 days, the details of the bugs will be made public.

Also Read: PewDiePie Ransomware Locks Your Files Until 100M Subscribers Is Reached