On the first day of Pwn2Own Vancouver 2019, subscribers successfully hacked into the Apple Safari web browser, Oracle's VirtualBox and VMware Workstation Total 240,000 US dollars Dollars in cash.
The Fluoroacetate team targeted all three apps on the first day of Pwn2Own, using them all successfully, earning $ 160.00.
Apple's Safari First Involved It managed to hack a bug in JIT with a heap overflow to escape the sandbox following Pwn2Own Vancouver 201
Next they used "an integer underflow and a race condition" to escape the virtual machine and place it on the underlying machine operating system "targeting Oracle VirtualBox in the" virtualization "category of the contest. [19659003ThelastprogramtheytookadvantageofwasVMwareWorkstationwhichgavethem$70000inprizesafterrunningaraceTheconditionthatresultsinanout-of-boundcommandiswrittenbytheVMwareclienttohisCodeonthehostOS"
Also on the first day, anhdaden of STAR Labs managed to win $ 35,000 after using an integer underflow in the Oracle VirtualBox client switch from the client to the underlying operating system.
phoenhex & qwerty's team was the only team to target Apple's Safari web browser, earning him $ 45,000 for a complete kernel escalation resulting in a complete system compromise triggered by an exploit chain "used a JIT error followed by heap OOB read and then panned from root to kernel via a TOCTOU error".
However, this was a partial success, as Apple already knew about one of the two software bugs that completely compromised the macOS operating system by attacking the Safari web browser.
The complete schedule and results after each breakout attempt are listed in the table below.
|10:00 – Fluoracetate (Amat Cama and Richard Zhu) as the target of Apple Safari and a sandbox escape in the web browser category.||Success: – The fluoroacetate team used a bug in JIT with a heap overflow to escape from the sandbox. They earn $ 55,000 and 5 Master of Pwn points.|
|11:30 – Fluoroacetate (Amat Cama and Richard Zhu) target Oracle VirtualBox in the virtualization category.||Success: – The fluoroacetate team returned with an integer underflow and race condition to escape the virtual machine and decalcify the underlying operating system. They earned another $ 35,000 and 3 points for Master in Pwn.|
|13:00 – anhdaden by STAR Labs, which targets Oracle VirtualBox in the virtualization category. Success: – anhdaden uses an integer underflow in Orcale VirtualBox to get from the client to the underlying operating system. In his first Pwn2Own, he earned $ 35,000 and 3 Master of Pwn points.|
|14:30 – Fluoroacetate (Amat Cama and Richard Zhu) for VMware Workstation in Virtualization Category.||Success: – The fluoroacetate duo ended its first day with a race condition that resulted in out-of-bounds writes to the VMware client to execute its code on the host operating system. They earn another $ 70,000 and 7 more Master of Pwn points.|
|16:00 – Phoenhex & qwerty ( @_niklasb @qwertyoruiopz @bkth_ ) target Apple Safari with a kernel escalation in the web browser category.||Partial Success: – The phoenhex & qwerty team used a JIT error, followed by heap OOB-Read, and then waved from the root to the kernel via a TOCTOU error. It's a partial win, since Apple already knew 1 of the mistakes. They still win $ 45,000 and 4 points for Master of Pwn.|
This year's edition of Pwn2Own is the first to win a car category with prices ranging from $ 35,000 to $ 300,000, depending on a variety of factors, including the exploit used "When trying to find a middle-class Rear-wheel drive vehicle to be hacked by Tesla Model 3.
In addition, according to the organizers of the competition, the first successful researchers will be able to race in their own brand-new Model 3 after the end of the competition. "
The targets and available car category prices are listed below:
Pwn2Own's Vancouver 2019 schedule will allow participants to try on the second day of the contest to win the Mozilla Firefox and Microsoft Edge web browsers.
On the final day of this year's Pwn2Own computer hacker contest, researchers are targeting the VCSEC component and the Tesla Model 3 Chromium-based i nfotainment system in the Automotive category.