Welcome to Pwn2Own Tokyo 2019 - Schedule and Live Updating Results
November 05, 2019 | Dustin Childsこんにちは and welcome to Pwn2Own Tokyo 2019 -- coming to you again from PacSec at the Aoyama St. Grace Cathedral in Tokyo, Japan. This year’s contest is set to be our largest Pwn2Own Tokyo ever, with three contestant groups targeting eight unique products across seven categories. We have more than $750,000 USD available in cash and prizes available to the contestants, and of course no Pwn2Own competition would be complete without crowning a Master of Pwn (MoP) and awarding the coveted MoP jacket.
As always, we started the contest with a random drawing to determine the order of attempts. We have ten attempts scheduled for today and seven queued up for tomorrow. The full schedule for Day One is below (all times JTZ [UTC+9:00]). We will update this schedule with results as they become available.
Day One – November 6, 2019
0900 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Sony X800G in the Television category
SUCCESS – The Fluoroacetate duo used a Javascript OOB Read bug to exploit the television’s built-in web browser to get a bind shell from the TV. They earned $15K and 2 Master of Pwn points.
1000 - Pedro Ribeiro and Radek Domanski (Team Flashback) targeting the NETGEAR Nighthawk Smart WiFi Router (R6700) (LAN interface) in the Router category
SUCCESS - The Flashback team used an auth bypass followed by a stack-based buffer overflow to get a shell on the router. They earned $5,000 and .5 points towards Master of Pwn.
1100 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Amazon Echo in Home Automation category
SUCCESS – The Fluoroacetate duo used an integer overflow in JavaScript to compromise the device and take control. They earned $60,000 USD and 6 more Master of Pwn points.
1200 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Samsung Q60 in the Television category
SUCCESS - Richard Zhu and Amat Cama continued their successful day by using an integer overflow in JavaScript to get a reverse shell from the Samsung Q60 television. They earned another $15,000 USD and 2 more Master of Pwn points.
1300 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Xiaomi Mi9 in the Web Browser category
SUCCESS - Amat Cama and Richard Zhu of Fluoroacetate used a JavaScript bug that jumped the stack to exfiltrate a picture from the Xiaomi Mi9. They earned $20,000 USD and 2 additional Master of Pwn points.
1400 - Pedro Ribeiro and Radek Domanski (Team Flashback) targeting the NETGEAR Nighthawk Smart WiFi Router (R6700) (WAN interface) in the Router category
SUCCESS - The Flashback team of Pedro Ribeiro and Radek Domanski were able to remotely modify the router's firmware such that their payload persisted across a factory reset. They earned $20K and 1 more Master of Pwn point.
1500 - Pedro Ribeiro and Radek Domanski (Team Flashback) targeting the TP-Link AC1750 Smart WiFi Router (LAN interface) in the Router category
SUCCESS - In their final attempt of the day, Pedro Ribeiro and Radek Domanski (Team Flashback) use a combination of 3 bugs starting witha command injection to get their code executing on the router. They earned $5,000 and .5 Master of Pwn points. That brings their one-day total to $30,000.
1600 - Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro (FSecureLabs) targeting the TP-Link AC1750 Smart WiFi Router (LAN interface) in the Router category
PARTIAL - In the first bug collision of this Pwn2Own, the successful attempt from F-SecureLabs turns out to have used some of the same bugs as a previous contestant. It still qualified as a partial win, but no Master of Pwn points are awarded.
1700 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Samsung Galaxy S10 in the Short Distance category
SUCCESS - The Fluoroacetate duo used a bug in JavaScript JIT followed by a Use After Free (UAF) to escape the sandbox to grab a picture off the Samsung Galaxy S10 via NFC. Their final entry for Day One earns them $30,000 and 3 Master of Pwn points.
1800 - Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro (FSecureLabs) targeting the Xiaomi Mi9 in the Web Browser category
PARTIAL - The F-Secure Labs team successfully chained a couple of logic bugs to exfiltrate a picture from the phone, however one of the bugs was known by the vendor. That makes it a partial win, but they still received $20,000 and 2 Master of Pwn points.
Day Two – November 7, 2019
1000 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Oppo F11 Pro in the Baseband category
WITHDRAWN - The team has withdrawn this entry.
1100 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Samsung Galaxy S10 in the Baseband category
SUCCESS - The duo used a stack overflow to push their file on to the handset. The successful demonstration earned them $50,000 and 5 Master of Pwn points.
1200 - Amat Cama and Richard Zhu (fluoroacetate) targeting the NETGEAR Nighthawk Smart WiFi Router R6700 (LAN interface) in the Router category
PARTIAL - Although the team had a successful demonstration, the auth bypass used had also been used by a previous contestant. This counts as a partial win.
1300 - Pedro Ribeiro and Radek Domanski (Team Flashback) targeting the TP-Link AC1750 Smart WiFi Router (WAN interface) in the Router category
SUCCESS - The duo used a stack overflow combined with a logic bug to get code execution through the WAN port of the TP-Link AC1750. They earn $20,000 and one Master of Pwn point.
1400 - Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro (FSecureLabs) targeting the TP-Link AC1750 Smart WiFi Router (WAN interface) in the Router category
SUCCESS - The team from F-Secure combined a command injection bug along with some insecure settings to achieve their code execution via the WAN interface. The effort earns them $20,000 and one Master of Pwn point.
1500 - Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro (FSecureLabs) targeting the Xiaomi Mi9 NFC component in the Short Distance category
SUCCESS - The F-Secure crew used an cross-site scripting (XSS) bug in the NFC component of the Xiaomi Mi9 to exfiltrate data just by touching their specially made NFC tag. Their efforts earned them $30,000 and 3 more Master of Pwn points.
1600 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Samsung Galaxy S10 in the Web Browser category
PARTIAL - Richard and Amat used an integer overflow with a UAF to escape the sandbox, however the overflow had been used by a previous contestant. This counts as a partial win.
We look forward to seeing the innovative research and attack techniques demonstrated by this year’s contestants. Once we verify the research presented is a true 0-day exploit, we immediately disclose the vulnerability to the vendor, who then has 90 days to release a fix. Representatives from Facebook, Samsung, Apple, Google, Amazon, Samsung, Xiaomi, Oppo, and Huawei are onsite and able to ask questions of the researchers if needed. At the end of the disclosure deadline, if a vendor is unresponsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigation details in an effort to enable the defensive community to protect users.
We’ll update this blog with results as they become available. Follow us on Twitter for the latest information, and check back for our end-of-day blog recapping all of the results and awards.