Hackers earned more than $1 million for zero-day exploits disclosed at the Tianfu Cup PWN hacking contest that took place on November 16-17 in Chengdu.
According to organizers, hackers earned $1,024,000 for a total of 30 vulnerabilities. Most of the amount of money, $620,000, was paid to a team from cybersecurity firm Qihoo 360. Other participants were teams from universities, Tencent, financial service provider Ant Financial, and independent researchers.
The highest reward is $200,000 that was paid out to participants that presented an iPhone X jailbreak and a remote code execution exploit.
White hat hackers earned a total of $120,000 for two Microsoft Edge exploits that could be exploited by remote attackers to execute arbitrary code.
Hackers also devised two Chrome exploit chains that allowed them to earn a total of $150,000.
Three teams earned $150,000 for Safari vulnerabilities, including $100,000 for a macOS zero-day exploit, organizers also paid $100,000 for hacking VMware Workstation and Fusion.
The VMware flaw could be exploited to execute code on the Workstation host from the guest, the company is working to provide a patch as soon as possible.
The iPhone X exploit leverages a type confusion Just-in-Time (JIT) bug in Safari and a use-after-free vulnerability in the iOS kernel. The organization notified the flaw to Apple and confirmed that hackers will share technical details after Apple will release a fix.
Hackers also demonstrated two Oracle VirtualBox exploit chains that were awarded $120,000.
Participants also earned a total of $80,000 for three Adobe Reader exploits and other $80,000 for a Microsoft Office exploit chain involving a logical bug and a memory corruption vulnerability.
Many other rewards were paid for working exploits for Vivo X23, OPPO R17, and Xiaomi Mi 8 smartphones.
Recently participants to another contest, the Zero Day Initiative’s Pwn2Own Tokyo 2018 earned over $300,000 for disclosing flaws affecting iPhone X, Xiaomi Mi 6 and Samsung Galaxy S9 smartphones.
(Security Affairs – Tianfu Cup PWN hacking contest, zero-day)