Pwn2Own 2018: Results from Day One
March 15, 2018 | Dustin ChildsThe first day of Pwn2Own 2018 has come to a close, and so far, we’ve awarded $162,000 USD and 16 points towards Master of Pwn. Today saw 2 successful attempts, 1 partial success, and 1 failure. In total, we purchased 3 Apple bugs, 2 Oracle bugs, and 3 Microsoft bugs.
The day began with Richard Zhu (fluorescence) targeting Apple Safari with a sandbox escape. Unfortunately, he could not get his exploit chain working within the time allotted due to a failure in the heapspray technique. Despite this, the bugs he brought to the contest were certainly interesting and were purchased through the regular ZDI program.
Richard returned to target Microsoft Edge with a Windows kernel EoP, and he brought a flair for the dramatic with him. After his first attempt failed, he proceeded to debug his exploit in front of the crowd while still on the clock. His second attempt nearly succeeded, but the target blue screened just as his shell started. His third attempt succeeded with only one minute and 37 seconds left. In the end, he used two use-after-free (UAF) bugs in the browser and an integer overflow in the kernel to successfully run his code with elevated privileges. The dramatic effort earned him $70,000 and 7 points towards Master of Pwn.
Next up, Niklas Baumstark (_niklasb) from the phoenhex team targeted Oracle VirtualBox. Apparently not one for added intrigue, his exploit immediately popped not one, but three different calcs to indicate success. His demonstration qualified as a partial success as he used an Out-of-Bounds (OOB) read and a Time of Check-Time of Use (toctou) to still earn him $27,000 and 3 Master of Pwn points. It was a great demonstration, and we look forward to more of his research in the future.
The final attempt on Day One saw Samuel Groß (5aelo) of phoenhex targeting Apple Safari with a macOS kernel EoP. Last year, his exploit involved a touchbar component, and this year proved to be no different.
He used a combination of a JIT optimization bug in the browser, a macOS logic bug to escape the sandbox, and finally a kernel overwrite to execute code with a kernel extension to successfully exploit Apple Safari. This chain earned him $65,000 and 6 points towards Master of Pwn. Similar to last year, he left a message for us on the touchbar once he was complete.
Day One also saw multiple entrants withdraw from the contest at the last minute. Some were due to the multiple security patches released yesterday, and others simply didn’t finish their exploit chains in time for the contest. We’re still in touch with these researchers and hope to acquire these bugs through regular ZDI purchase methods.
Stay tuned to our Twitter feed and this blog for tomorrow's results as we wrap up Pwn2Own 2018!