The 2021 spring edition of Pwn2Own hacking contest concluded last week on April 8 with a three-way tie between Team Devcore, OV, and Computest researchers Daan Keuper and Thijs Alkemade.
A total of $1.2 million was awarded for 16 high-profile exploits over the course of the three-day virtual event organized by the Zero Day Initiative (ZDI).
Targets with successful attempts included Zoom, Apple Safari, Microsoft Exchange, Microsoft Teams, Parallels Desktop, Windows 10, and Ubuntu Desktop operating systems.
Some of the major highlights are as follows —
- Using an authentication bypass and a local privilege escalation to completely take over a Microsoft Exchange server, for which the Devcore team netted $200,000
- Chaining a pair of bugs to achieve code execution in Microsoft Teams, earning researcher OV $200,000
- A zero-click exploit targeting Zoom that employed a three-bug chain to exploit the messenger app and gain code execution on the target system. ($200,000)
- The exploitation of an integer overflow flaw in Safari and an out-of-bounds write to get kernel-level code execution ($100,000)
- Leveraging use-after-free, race condition, and integer overflow bugs in Windows 10 to escalate from a regular user to SYSTEM privileges ($40,000 each)
- Combining three flaws — an uninitialized memory leak, a stack overflow, and an integer overflow — to escape Parallels Desktop and execute code on the underlying operating system ($40,000)
- Exploiting a memory corruption bug to successfully execute code on the host operating system from within Parallels Desktop ($40,000)
- The exploitation of an out-of-bounds access bug to elevate from a standard user to root on Ubuntu Desktop ($30,000)
The Zoom vulnerabilities exploited by Daan Keuper and Thijs Alkemade of Computest Security are particularly noteworthy because the flaws require no interaction of the victim other than being a participant on a Zoom call. What's more, it affects both Windows and Mac versions of the app, although it's not clear if Android and iOS versions are vulnerable as well.
Technical details of the flaws are yet to be disclosed, but in a statement sharing the findings, the Dutch security firm said the researchers "were then able to almost completely take over the system and perform actions such as turning on the camera, turning on the microphone, reading emails, checking the screen and downloading the browser history."
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
When reached for a response, Zoom said it's pushed a server-side change to patch the bugs, noting that it's working on incorporating extra protections to resolve the security shortcomings. The company has a 90-day window to address the issues before they are made public.
"On April 9, we released a server-side update that defends against the attack demonstrated at Pwn2Own on Zoom Chat," a spokesperson for the company told The Hacker News. "This update does not require any action by our users. We are continuing to work on additional mitigations to fully address the underlying issues."
The company also said it's not aware of any evidence of active exploitation by these issues, while pointing out the flaws don't impact in-session chat in Zoom Meetings, and that the "attack can only be executed by an external contact that the target has previously been accepted or be a part of the target's same organizational account."
Independent researcher Alisa Esage also made history as the first woman to win Pwn2Own after finding a bug in virtualization software Parallels. But she was only awarded a partial win for reasons that the issue had been reported to ZDI prior to the event.
"I can only accept it as a fact that my successful Pwn2Own participation attracted scrutiny to certain arguable and potentially outdated points in the contest rules," Esage tweeted, adding, "In the real world there is no such thing as an 'arguable point'. An exploit either breaks the target system or not."