Welcome to Pwn2Own Tokyo 2018 - Day One
November 12, 2018 | Dustin Childsこんにちは and welcome to Pwn2Own Tokyo 2018 -- coming to you again from PacSec at the Aoyama St. Grace Cathedral in Tokyo, Japan. The venue is decked out for the holidays, and we’re expecting our stockings to be filled with fantastic research. We have more than $500,000 USD available in cash and prizes available to the contestants, and of course no Pwn2Own competition would be complete without crowning a Master of Pwn (MoP) and awarding the coveted MoP jacket.
This year, we have 3 groups of contestants lined up to exploit 11 of the world’s most popular mobile handsets. The browsers, short distance communications, and baseband categories will all be tested across 11 attempts. If you’re interested, the full list of targets and awards – along with the complete rules – can be found here.
As always, we started the contest with a random drawing to determine the order of attempts. We have six attempts scheduled for today and five set for tomorrow. The full schedule for Day One is below (all times JTZ [UTC+9:00]). We will update this schedule with results as they become available.
Day One – November 12, 2018
0930 - Fluoroacetate (@fluoroacetate) - Amat Cama and Richard Zhu targeting the Xiaomi Mi6 in the short distance (NFC) category
Success: - The Fluoroacetate team used an Out-Of-Bounds write in WebAssembly to get code execution via NFC. They earn themselves $30,000 USD and 6 Master of Pwn points.
1100 - MWR Labs (@mwrlabs) -Georgi Geshev (@munmap), Fabi Beterke (@pwnfl4k3s), Rob Miller (@trotmaster99) targeting the Xiaomi Mi6 in the short distance (Wi-Fi) category
Success: - The MWR Labs team got code execution on the Xiaomi handset by using a chain of five different bugs - including the silent installation of app via JavaScript - to earn themselves $30,000 USD and 6 Master of Pwn points.
1230 - Fluoroacetate (@fluoroacetate) - Amat Cama and Richard Zhu targeting the Samsung Galaxy S9 in the baseband category
Success: - The Fluoroacatate duo successfully achieved code execution by using a heap overflow in the baseband component. The exploit earns them another $50,000 USD and 15 more Master of Pwn points.
1400 - Fluoroacetate (@fluoroacetate) - Amat Cama and Richard Zhu targeting the iPhone X in the short distance (Wi-Fi) category
Success: - The dynamic Fluoroacetate duo used a JIT bug followed by an Out-Of-Bounds write to get code execution on the iPhone X. They earned themselves an additional $60,000 USD and 10 more Master of Pwn points.
1530 - MWR Labs (@mwrlabs) -Georgi Geshev (@munmap), Fabi Beterke (@pwnfl4k3s), Rob Miller (@trotmaster99) targeting the Samsung Galaxy S9 in the short distance (Wi-Fi) category
Success: - The team combined three bugs to load their application on Samsung Galaxy S9. The exploit chain earns them another $30,000 and 6 more Master of Pwn points.
1700 – Michael Contreras targeting the Xiaomi Mi6 in the browser category
Success: - Michael used a JavaScript type confusion bug to get code execution on the Xiaomi Mi6. He earned himself $25,000 and 6 Master of Pwn points.
We look forward to seeing the innovative research and attack techniques demonstrated by this year’s contestants. Once we verify the research presented is a true 0-day exploit, we immediately disclose the vulnerability to the vendor, who then has 90 days to release a fix. Representatives from Apple, Google, Samsung, Xiaomi, and Huawei are onsite and able to ask questions of the researchers if needed. At the end of the disclosure deadline, if a vendor is unresponsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigation details in an effort to enable the defensive community to protect users.
We’ll update this blog with results as they become available. Follow us on Twitter for the latest information, and check back for our end-of-day blog recapping all of the results and awards.