Pwn2Own Vancouver 2019 - The Schedule and Live Results
March 20, 2019 | Dustin ChildsWelcome to Pwn2Own Vancouver 2019, where for the first time in the contest’s history, we have an automotive category to go along with the more traditional targets of web browsers, virtualization servers, enterprise applications, and Windows RDP. Our returning partner Microsoft and sponsor VMware welcomes Tesla as a new partner this year, and their contributions include a Model 3 that someone could walk away with. The schedule for today is posted below, and we’ll be updating this blog throughout the day with results and updates.
All automotive entries will be on Day Three (March 22).
Day One
1000 - Fluoroacetate (Amat Cama and Richard Zhu) targeting Apple Safari plus a sandbox escape in the web browser category.
Success: - The Fluoroacetate team used a bug in JIT with a heap overflow to escape the sandbox. In doing so, they earn themselves $55,000 and 5 Master of Pwn points.
1130 - Fluoroacetate (Amat Cama and Richard Zhu) targeting Oracle VirtualBox in the virtualization category.
Success: - The Fluoroacetate team returned with a an integer underflow and a race condition to escape the virtual machine and pop calc on the underlying OS. They earned another $35,000 and 3 points towards Master on Pwn.
Success: - anhdaden uses an integer underflow in Orcale VirtualBox to go from the client to the underlying OS. In his first Pwn2Own, he earns himself $35,000 USD and 3 Master of Pwn point.
1430 - Fluoroacetate (Amat Cama and Richard Zhu) targeting VMware Workstation in the virtualization category.
Success: - The Fluoroacetate duo finished their first day by leveraging a race condition leading to an out-of-bounds write in the VMware client to execute their code on the host OS. The earn themselves another $70,000 and 7 more Master of Pwn points.
1600 - Phoenhex & qwerty (@_niklasb @qwertyoruiopz @bkth_) targeting Apple Safari with a kernel escalation in the web browser category.
Partial Success The phoenhex & qwerty team used a JIT bug followed by heap OOB read, then pivoted from root to kernel via a TOCTOU bug. It's a partial win since Apple already knew 1 of the bugs. They still win $45,000 and 4 points towards Master of Pwn.
Day Two
1000 - Fluoroacetate (Amat Cama and Richard Zhu) targeting Mozilla Firefox with a kernel escalation in the web browser category.
Success: - The Fluoroacetate team used a bug in JIT along with an out-of-bounds write in the Windows kernel to earn themselves $50,000 and 5 Master of Pwn points.
1130 - Fluoroacetate (Amat Cama and Richard Zhu) targeting Microsoft Edge with a kernel escalation and a VMware escape in the web browser category.
Success: - The Fluoroacetate team used a comibnation of a type confusion in Edge, a race condition in the kernel, and finally a out-of-bounds write in VMware to go from a browser in a virtual client to executing code on the host OS. They earn $130,000 plus 13 Master of Pwn points.
1400 - Niklas Baumstark targeting Mozilla Firefox with a sandbox escape in the web browser category.
Success: - Niklas used a JIT bug in Firefox followed by a logic bug for the sandbox escape. The successful demonstration earned him $40,000 and 4 Master of Pwn points.
1530 - Arthur Gerkis of Exodus Intelligence targeting Microsoft Edge with a sandbox escape in the web browser category.
Success: - In his Pwn2Own debut, Arthur used a double free in the render and logic bug to bypass the sandbox. The effort earned him $50,000 and 5 points towards Master of Pwn.
Day Three
1000 - Team KunnaPwn targeting the VCSEC component of the Tesla Model 3 in the automotive category.
Withdrawn: - The Team KunnaPwn team has withdrawn their entry from the automotive category.
1300 - Fluoroacetate (Amat Cama and Richard Zhu) targeting the infotainment system (Chromium) on the Tesla Model 3 in the automotive category.
Success: - The Fluoroacetate duo used a JIT bug in the renderer to win $35,000 and a Model 3.
As always, we’ll update this blog with results throughout the day and recap each day’s events in a separate post. You can also find the latest results by following our Twitter feed. Best of luck to all of our contestants!