During the first day of Pwn2Own 2021, contestants won $440,000 after successfully exploiting previously unknown vulnerabilities to hack Microsoft’s Windows 10 OS, the Exchange mail server, and the Teams communication platform.
The first to fall was Microsoft Exchange in the Server category after the Devcore team achieved remote code execution on an Exchange server by chaining together an authentication bypass and a local privilege escalation. This brought them $200,000 and 20 Master of Pwn points.
Next, a security researcher using the OV online moniker successfully obtained code execution on Microsoft Teams in the Enterprise Communications category by combining two separate security bugs. He also earned $200,000 and 20 Master of Pwn points.
Team Viettel earned $40,000 and 4 Master of Pwn points after escalating privileges to SYSTEM from a regular user on Windows 10 while competing in the Local Escalation of Privilege category.
Confirmed! The Devcore team used an authentication bypass and a privilege escalation to take over the #Exchange server. They win the full $200,000 and 20 Master of Pwn points. pic.twitter.com/8JC20w768f
— Zero Day Initiative (@thezdi) April 6, 2021
Ryota Shiga of Flatt Security won $30,000 for an OOB access bug that allows gaining root on a Ubuntu Desktop machine.
The STAR Labs team failed to get their exploits to work in the allotted time while trying to exploit Oracle VirtualBox and Parallels Desktop in the Virtualization category.
On the second day, Pwn2Own competitors will also target Google Chrome, Microsoft Edge (Chromium), Zoom Messenger, while others will try their hand at exploiting other new bugs in Microsoft Exchange, Windows 10, Ubuntu Desktop, and Parallels Desktop.
After the vulnerabilities are exploited and disclosed during Pwn2Own, software and hardware vendors are given 90 days to develop and release security fixes for all vulnerabilities reported.
During the Pwn2Own 2021 contest, 23 teams and researchers will target ten different products in the Web Browsers, Virtualization, Servers, Local Escalation of Privilege, and Enterprise Communications categories.
Between April 6 and April 8, Pwn2Own contestants will be able to earn over $1,500,000 in cash and prizes, including a Tesla Model 3.
Team Fluoroacetate was the first to win a Tesla Model 3 Pwn2Own after hacking the car’s Chromium-based infotainment system two years ago.
They also earned $375,000 at Pwn2Own 2019 after demoing exploits for Apple Safari, Oracle VirtualBox, VMware Workstation, Mozilla Firefox, and Microsoft Edge.