Announcing Pwn2Own Vancouver 2021
January 26, 2021 | Brian GorencThis year marks the 14th anniversary of Pwn2Own, which has grown from a small, browser-focused event to become one of the most well-known security contests in the industry, with millions of dollars of cash and prizes made available to contestants over the years. Every year the contest changes a bit as we reflect on the changing world around us. As cloud computing grew, we added the Virtualization category. In 2019, we added the Automotive category. For this year’s event, we’re adding the Enterprise Communications category.
As the workforce moves out of the office and goes remote, the tools needed to support that change become greater targets. That’s one reason we added this new category and teamed up with Zoom to have them in the contest. Microsoft Teams will also be a target. A successful demonstration of an exploit in either of these products will earn the contestant $200,000 – quite the payout for a new category. Tesla returns for this year’s contest but driving off with a brand-new Model 3 will be more of a challenge this year. Of course, that means the rewards are greater as well, with the top prize going for $600,000 (plus the car itself). Also new this year, Adobe joins as a partner for 2021. Their applications have been a frequent target in past contests, so it’s great to see their increased investments into community research.
For 2021, we’ll have a bit of a hybrid contest. Starting on April 6 and running through April 8, 2021, we’ll have ZDI staff in Toronto and Austin running the exploits. Contestants can be anywhere in the world and won’t need to travel. As we did with our fall event, everything will be live-streamed on Twitch, YouTube, and more. All told, more than $1,500,000 USD in cash and prizes are available to contestants, including the Tesla Model 3, in the following categories:
And, of course, Pwn2Own would not be complete without us crowning a Master of Pwn. Since the order of the contest is decided by a random draw, contestants with an unlucky draw could still demonstrate fantastic research but receive less money since subsequent rounds go down in value. However, the points awarded for each successful entry do not go down. Someone could have a bad draw and still accumulate the most points. The person or team with the most points at the end of the contest will be crowned Master of Pwn, receive 65,000 ZDI reward points (instant Platinum status), a killer trophy, and a pretty snazzy jacket to boot.
Cars aren’t the only thing providing a big payout this year. VMware returns as a Pwn2Own sponsor for 2021, and this year, again we’ll have VMware ESXi alongside VMware Workstation as a target with awards of $150,000 and $75,000 respectively. Microsoft returns as a target for 2021 and leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. Oracle VirtualBox and Pwn2Own newcomer Parallels Desktop round out this category with a prize of $40,000 for either. Cloud computing relies on virtualization, as do many other critical computing functions. We’ve seen guest-to-host OS escalations in previous Pwn2Own contests. Here’s hoping we see more this year.
Rules updated as of March 15, 2021
For Oracle VirtualBox, VMware Workstation, and Microsoft Hyper-V Client, the guest operating system will be running Microsoft Windows 10 20H2 x64 or Ubuntu 20.10 for Desktop and the host operating system will be running Microsoft Windows 10 20H2 x64. For Parallels Desktop, the guest operating system will be running Microsoft Windows 10 20H2 x64 or Ubuntu 20.10 for Desktop and the host operating system will be running Apple macOS Big Sur. For VMware ESXi, the guest operating system will be running Microsoft Windows 10 20H2 x64 or Ubuntu 20.10 for Desktop. Certain optional components, such as RemoteFX, Legacy Network Adapter (Generation 1), and Fibre Channel Adapter, are not considered default and will be out of scope for the Microsoft Hyper-V Client target.
There’s an add-on bonus in this category as well. If a contestant can escape the guest OS, then escalate privileges on the host OS through a Windows kernel vulnerability (excluding VMware ESXi and Parallels Desktop), they can earn an additional $40,000 and 4 more Master of Pwn points.
Web browsers are the “traditional” Pwn2Own target, but this year, we’re adding a few wrinkles in that category. First, for Google Chrome and Microsoft Edge (Chromium), a successful demonstration no longer requires a sandbox escape. Renderer-only exploits will earn $50,000, but if you have that sandbox escape or Windows kernel privilege escalation, that will earn you $150,000. If your exploit works on both Chrome and Edge, it will qualify for the “Double Tap” add-on of $50,000. The Windows-based targets will be running in a VMware Workstation virtual machine. Consequently, all browsers (except Safari) are eligible for a VMware escape add-on. If a contestant is able to compromise the browser in such a way that also executes code on the host operating system by escaping the VMware Workstation virtual machine, they will earn themselves an additional $75,000 and 8 more Master of Pwn points. Full exploits are still required for Apple Safari and Mozilla Firefox.
Enterprise applications also return as targets with Adobe Reader and various Office components on the docket. Prizes in this category run from $40,000 for a Reader exploit with a sandbox escape, $50,000 for a Reader exploit with a Windows kernel privilege escalation, and $100,000 for an Office 365 application. Word, Excel, and PowerPoint are all valid targets. There’s a better than average chance that you use one (or more) of these applications in your average day, making this category relevant to nearly everyone with a computer.
The Office targets will be running Microsoft Office 365 ProPlus x64 (Monthly Channel) on Windows 10 x64. Microsoft Office-based targets will have Protected View enabled. Adobe Reader will have Protected Mode enabled.
For 2021, we are expanding the Server category by adding Microsoft Exchange and SharePoint. Both of these servers were targeted by attackers over the last year. We’re also increasing the award for RDP/RDS entries to $200,000 for a full exploit. Attacks that require authentication will not be counted as a full win. As always, attempts in this category must be launched from the contestant’s laptop within the contest network.
This category is a classic for Pwn2Own and focuses on attacks that originate from a standard user and result in executing code as a high-privileged user. This is a common tactic for malware and ransomware, so these bugs are highly relevant. In this category, the entry must leverage a kernel vulnerability to escalate privileges. Ubuntu Desktop and Microsoft Windows 10 are the two OSes available as targets in this category.
Our newest category focuses on tools that we have come to rely on as we evolved into a remote workforce. Zoom has become a partner for their inaugural Pwn2Own, and we’re happy to have them on board. A successful attempt in this category must compromise the target application by communicating with the contestant. Example communication requests could be audio call, video conference, or message. Both Zoom and Microsoft Teams have a $200,000 award available, so we’re hoping to see some great research.
We introduced the Automotive category in 2019, and we are excited to have Tesla return as a partner for 2021. Due to the virtualized nature of last year’s contest, we weren’t able to have any attempts, so we’re excited to have the opportunity this year. However, we wanted to raise the level of complexity for this year’s event. Tesla vehicles are equipped with multiple layers of security, and for 2021, there are three different tiers of awards within the Automotive category that corresponds to some of the different layers of security within a Tesla car, with additional prize options available in certain instances.
Tier 1 earns the top prizes and represents a complete vehicle compromise. Correspondingly, this also has the highest award amounts. To win this level, a contestant will need to pivot through multiple systems in the car, meaning they will need a complex exploit chain to get arbitrary code execution on three different sub-systems in the vehicle. Success here gets a big payout and, of course, a brand-new Tesla Model 3.
In addition to the vehicle itself and $500,000, contestants can go for the additional options to raise the payout to $600,000. This represents the single largest target in Pwn2Own history. If someone is able to do this, it would also mean 70 total Master of Pwn points, which is nearly insurmountable. Here’s some additional info on the optional add-ons.
Again, it’s hard to express the difficulty in completing such a demonstration, but we’re certainly hopeful that someone is able to show off their exploit skills.
Tier 2 in this category is not quite as complex but still requires the attacker to pivot through some of the vehicle’s sub-systems. This level requires the contestant to get arbitrary code execution on two different sub-systems in the vehicle, which is certainly a difficult challenge. If you include the optional targets, the largest payout for Tier 2 would be $500,000. A winning entry in Tier 2 would still be a pretty impressive and exciting demonstration and includes driving off with the Model 3.
The targets in Tier 3 could prove to be just as difficult, but you only need to compromise one sub-system for a win here, which is still no easy task. Not every instance within Tier 3 includes winning the car. To drive away with a Tier 3 prize, a contestant would need to target one of the entries marked “Vehicle Included” in the table below.
Conclusion
The complete rules for Pwn2Own 2021 are found here. As always, we encourage entrants to read the rules thoroughly if they choose to participate. If you are thinking about participating but have a specific configuration or rule-related questions, email us. Questions asked over Twitter or other means will not be answered. Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at zdi@trendmicro.com to begin the registration process. Registration closes at 5 p.m. Pacific Time on April 2, 2021.
Update as of March 15: If you have either travel restrictions or travel-safety concerns, you can choose to opt for remote participation. You still need to register before the contest deadline (April 2nd, 2021). You will also need to send the entry, a detailed whitepaper completely explaining your exploit chain, and instructions on how to run the entry by 5:00 p.m. Pacific Time on April 4th, 2021. A member of the ZDI staff will run the exploit for you. All attempts will be filmed and available for viewing by you. If requested, we will work with remote contestants to monitor the attempt in real-time via a phone call or video chat. Please note that since you are not in person, changes to exploits/scripts/etc. will not be possible, which could lower your chance of winning should something unexpected occur.
Be sure to stay tuned to this blog and follow us on Twitter for the latest information and updates about the contest. We look forward to seeing everyone wherever they may be, and we hope someone has a sweet ride home from this year’s Pwn2Own competition.
With special thanks to our Pwn2Own 2021 Partners Tesla, Zoom, and Adobe.
Thanks also to our Pwn2Own 2021 Sponsor
©2021 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.