Researchers Rake in $280K at Pwn2Own Hacking Contest

Computerworld — Research teams Wednesday cracked Microsoft's Internet Explorer 10 (IE10), Google's Chrome and Mozilla's Firefox at the Pwn2Own hacking contest, pulling in more than $250,000 in prizes.

Earlier in the day, a solo hacker exploited Oracle's Java to win $20,000.

Vupen, a French vulnerability research and bug-selling firm that took first place at Pwn2Own last year, brought down IE10 running on a Windows 8 powered Surface Pro tablet by exploiting a pair of flaws.

"We've pwned [Microsoft's] Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass," Vupen announced on Twitter Wednesday afternoon.

HP TippingPoint, whose Zero Day Initiative (ZDI) bug bounty program is co-sponsoring Pwn2Own this year -- Google has also pumped money into the contest -- confirmed the Vupen hack in a tweet of its own.

According to Pwn2Own's rules, which were dramatically revised from 2012's challenge, the first researcher or team of researchers to hack IE10 on Windows 8 wins a $100,000 cash prize, plus the machine hosting the browser target.

Toward the end of the day, Vupen followed up with an exploit of Firefox 19 on Windows 7, collecting another $60,000.

Pwn2Own started Wednesday at the CanSecWest security conference in Vancouver, British Columbia, and will run through Friday.

Also on Wednesday, a two-man team from MWR Labs, an arm of UK-based MWR InfoSecurity, hacked Chrome 25 on Windows 7 by exploiting multiple "zero-day," or unpatched, vulnerabilities in the browser and operating system.

Like the Vupen hack of IE10, MWR Labs' exploit of Chrome resulted in a complete bypass of Windows anti-exploit "sandbox" technology. The MWR Labs researchers who found the bugs, built the exploits, and demonstrated their skills at Pwn2Own were Nils -- a young German who is known only by his first name -- and Jon Butler. Nils has a Pwn2Own history: He won $10,000 by hacking Mozilla's Firefox in 2010, and $15,000 the year before for exploiting Firefox, IE8 and Apple's Safari.

Nils and Butler described their Chrome hack in a brief blog post Wednesday, outlining how they defeated Windows' security defenses, including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

For their work, Nils and Butler received $100,000.

At the opening of the contest, a pair of solo researchers -- James Forshaw, a principal consultant at Context Information Security in the U.K., and Joshua Drake of Accuvant -- exploited Oracle's Java. Forshaw, who took his jabs first, won $20,000, Pwn2Own's lowest-priced prize. Vupen also successfully hacked Java 7 with a vulnerability and exploit of its own.

Continue Reading