Until 2019, the Pwn2Own hacking contest was held at the CanSecWest conference in Vancouver each spring, but due to the coronavirus pandemic, it moved to the World Wide Web last year. Pwn2Own 2021, which is currently being held online once again, brings with it another thoroughly enjoyable first: "If you’ve ever wanted to watch Pwn2Own but couldn’t get to Vancouver, you’re in luck!", writes Trend Micro’s Zero Day Initiative (ZDI) in a blog entry – referring to the possibility of watching the event conveniently via livestream.
The contest, which started yesterday (Tuesday), will run until tomorrow and will be streamed on the Pwn2Own website, YouTube and Twitch from Austin, Texas. The complete "program", including the estimated time of the 23 hacking attempts, can be found in the ZDI blog entry for the Pwn2Own contest 2021. Attention: The times are given in UTC-4, so you have to add six hours to each time. Today, Wednesday, the event has started at 3 pm in our time zone.
Pwn2Own 21: Via YouTube you can watch hacking for three days.
Day 1: Exchange server and team leaks
On the first day of the competition, a total of seven teams or individuals competed for a total of 570.000 US dollars. Two exploit attempts, both from the category of "Virtualization" (Parallels Desktop and Oracle VirtualBox) failed; the others succeeded.
The largest sums of money, 200 each.000 US dollars, were paid to two teams of researchers who successfully attacked Microsoft products: the team of the company Devcore managed to take over an Exchange server by first successfully bypassing authentication mechanisms (authentication bypass) and then expanding its privileges (local privilege escalation).
This is not Devcore’s first vulnerability discovery in Exchange Server: The team had discovered the CVE-2021-26855 vulnerability, known as ProxyLogon, in December 2020 – one of the Exchange leaks that was only recently exploited in a crude manner and patched by Microsoft in early March out of turn.
Yesterday’s Microsoft hack number 2 was achieved by a researcher with the pseudonym "OV"He combined bugs to execute code in the context of Microsoft Teams. Other targets of successful attacks were Apple’s Safari browser – code execution at kernel level was achieved in a roundabout way -, Windows 10 (local privilege escalation) and Ubuntu Desktop (also local privilege escalation).