Angela Gunn, Senior Security Content Developer, HP Security Research
Two record-setting days of payouts for zero-day vulnerabilities brought the 2014 Pwn2Own contest tantalizingly close to our first million-dollar competition, with $850,000 paid to eight entrants. $385,000 of potential prize money remained unclaimed.
The first day of Pwn2Own 2014 saw successful attempts by three entrants against four products, with payouts of $400,000 to researchers in the main competition. An additional $82,500 went to charity in the Pwn4Fun sponsors-only event.
At Pwn4Fun, Google delivered an impressive exploit against Apple Safari, launching Calculator as root on Mac OS X. ZDI presented a multi-stage exploit (including an adaptable sandbox bypass) against Microsoft Internet Explorer, launching scientific calculator running in medium integrity with continuation. Combined, the two efforts raised $82,500 for the Canadian Red Cross. The charitable mood reverberated through the rest of the event, with Keen Team (at their first Canadian Pwn2Own after a standout performance in our Mobile Pwn2Own contest in Tokyo last fall) announcing plans on Thursday to donate a portion of its winnings to a charity to be named later.
In the main event, the luck of the draw brought three of four browsers to the table on the first day, and put VUPEN at the table for four attempts. (VUPEN withdrew a potential fifth attempt against Oracle Java on Wednesday, leaving that product the only one on our roster to remain untested.) All six of Wednesday’s attempts were successful. VUPEN collected $300,000 for vulns in Adobe Reader, Microsoft Internet Explorer, Mozilla Firefox, and Adobe Flash, and researchers Mariusz Mlynski and Jüri Aedla each collected $50,000 apiece for vulns in Firefox.
The second and final day of Pwn2Own 2014 saw successful attempts by seven entrants against five products, with $450,000 paid to researchers. VUPEN withdrew an entry against Apple Safari before competition began, while Keen Team successfully compromised the browser with a heap-overflow and sandbox-bypass combination for $65,000. Keen Team’s Liang Chen appeared with Zeguang Zhao of team509 later in the day to present another heap-overflow-and-sandbox-bypass attempt against Adobe Flash, worth $75,000. Two entrants, VUPEN and an anonymous researcher represented by proxy, both presented Google Chrome vulnerabilities. VUPEN was awarded $100,000 for a use-after-free vulnerability that our analysts have determined affects not only Blink-based browsers but those built on WebKit. Meanwhile, the anonymous researcher’s attempt was found to have partial overlap with a vulnerability demonstrated earlier in the week at Pwnium. The remainder of that entry was awarded $60,000. George Hotz collected $50,000 against Firefox.
Also on Thursday, Sebastian Apelt and Andreas Schmidt presented an impressive exploit involving two use-after-free bugs and a kernel bug to collect $100,000 against IE. A second Internet Explorer vulnerability, presented by proxies acting on behalf of Jung Hoon Lee of ASRT, was not successful in the 30-minute contest timeframe. However, ZDI analysts examined the submission after the competition, confirmed that it is functional, and purchased it as part of ZDI’s regular brokerage program.
The largest single prize not awarded was the $150,000 for successful demonstration of the grand-prize Exploit Unicorn, a triple-play puzzle specifically designed to provide the greatest challenge for researchers. Though no entrants made that attempt, the record-setting number of entrants and the diverse and creative approaches taken to crafting attacks made this a Pwn2Own for the ages.