Pwn2Own 2019  - 5R1Fm1553146753 - Pwn2Own 2019 – Ethical Hackers Earned $240,000 for Zero-day

Trend Micro’s Zero Day Initiative (ZDI) vulnerability research contest
Successfully started its first-day contest and the team of researchers earned $240,000 in the first day alone for the successful zero-day Submissions.

Trend Micro announced $1 million in cash and prizes through the contest for the researchers who submit the zero days the specific platform including virtualization platforms, enterprise applications, web browsers, and more.

List of Targets in Pwn2Own 2019

  • Automotive Category
  • Virtualization Category
    • Oracle VirtualBox
    • VMware Workstation
    • VMware ESXi
    • Microsoft Hyper-V Client
  • Browser Category
    • Google Chrome
    • Microsoft Edge
    • Apple Safari
    • Mozilla Firefox
  • Enterprise Applications Category
    • Adobe Reader
    • Microsoft Office 365
    • Microsoft Outlook
  • Server-side Category

Last year, Overall ZDI awarded $325,000 USD total over the two-day contest and they purchasing 18 0-day exploits.

This year’s contest, ZDI also introduced an automotive category, through a partnership with Tesla, as well as a continued partnership with Microsoft and sponsorship from VMware same as last year.

Unlike last year, this year Pwn2Own 2019 contest conducted for 3 days (20,21,22 March 2019) in which first and the second day opens for vendors and all automotive entries will be on Day Three (March 22)

Pwn2Own 2019 – Day 1

On the very First day, a team called Fluoroacetate alone earned $160, 000 USD for the successful submission of 3 zero days.

Initially, they used a bug in JIT with a heap overflow to escape the sandbox in Safari browser and earned $55, 000 along with 5 Master of Pwn points.

The second target was Oracle VirtualBox in the virtualization category, in which they exploit integer underflow and a race condition to escape Virtual machine and they earned another $35,000  with 3 Master of Pwn points

“Third target was VMware and they leveraging a race condition leading to an out-of-bounds write in the VMware client to execute their code on the host OS”

In this case, Fluoroacetate rewarded another $70,000 and 7 more Master of Pwn points and they closed their day was closed.

Another Researcher anhdaden targeting Oracle VirtualBox in the virtualization category and he submitted integer underflow zero day exploit in Oracle VirtualBox.

In his first Pwn2Own, he earns himself $35,000 USD and 3 Master of Pwn point.

Next team Phoenhex & qwerty (@_niklasb @qwertyoruiopz @bkth_)
targeting Apple Safari and day 1 ends with a partial win $45,000 and 4 points towards Master of Pwn.

So totally $240, 000 USD rewarded in the first day alone. Stay Tuned, we keep updates the remaining 2 days results with the complete details.

Related Read

Crowdfense Announced to Pay $3 Million Bug Bounty for iOS & Android Zero-day Exploits

Researcher Awarded $10,000 for Disclosing Critical XSS Vulnerability in Yahoo Mail





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here