The Spring edition of “Pwn2Own” 2020 has been concluded in Vancouver, Canada, and the results put Team Fluoroacetate in the first place. This is the fourth event in the row that is won by researchers Amat Cama and Richard Zhu, followed by the Security Lab team of the Georgia Institute of Technology. The results see Microsoft Windows, Apple macOS, and Ubuntu Linux succumbing to the attacks of the security researchers, confirming that there’s nothing 100% secure out there, and discovering exploitable zero-day flaws is only a matter of looking hard enough into how things work.
That's a wrap! #Pwn2Own 2020 officially comes to a close. We're happy to award the @fluoroacetate duo the title of Master of Pwn. It was a close event, but their 9 points (& $90K) was just ahead of the team from @SSLab_Gatech. Congrats to all the contestants. pic.twitter.com/vvmduLxwJ5
— Zero Day Initiative (@thezdi) March 20, 2020
Here are the results:
Georgia Tech Security Lab – Successfully compromised Apple Safari with a macOS kernel escalation of privilege exploit. The team used a six-bug chain to pop calc and escalate to root. Payout: $70,000
Fluorescence – Successfully targeting Microsoft Windows using a “use-after-free” exploit, leading to escalation of privilege. Payout: $40,000
Manfred Paul – Used an improper input validation vulnerability to escalate privileges on Ubuntu Desktop. Payout: $30,000
Team Fluoroacetate – Leveraged a "use-after-free" flaw in Microsoft Windows to escalate to SYSTEM privilege. Payout: $40,000
Phi Phạm Hồng – Successfully targeted Oracle VirtualBox by using an OOB Read for an info leak and an uninitialized variable for code execution on the hypervisor. Payout: $40,000
Team Fluoroacetate – Used two “use-after-free” vulnerabilities in Adobe Acrobat Reader and in Windows kernel, achieving to elevate privileges. Payout: $50,000
Pwn2Own (demonstration by Lucas Leong) – Guest-to-Host Escape on Oracle VirtualBox
The only exploit attempt that failed was that of the “Synacktiv team,” who tried to escape a VMWare Workstation, but couldn’t demonstrate their method within the given time.
All in all, this event was considered another huge success, unveiling crucial bugs that the software giants will now have to squash before they jeopardize users. Remember, these are discoveries that concern widely deployed and/or high-value software products. They can lead to total compromise (high privilege level) and are based on zero-day flaws exposed in the default configurations. There’s no social engineering involved, and no special configurations or installations to act as prerequisites for the exploit to work. All that said, we’re talking about exploitation at the highest level here, and this is why the payouts are pretty high too.