Results of the three days of the competition PWN2OWN 2021, annually held Within the CANSECWEST Conference. Like last year, the competition was carried out virtually and the attacks were demonstrated online. Of the 23 targets for the operating techniques of operation of previously unknown vulnerabilities, are demonstrated for Ubuntu Desktop, Windows 10, Schrome, Safari, Parallels Desktop, Microsoft Exchange, Microsoft Teams and Zoom. Done, but were not crowned with success, attempts to hack Oracle VirtualBox. In all cases, the most recent versions of programs that include all available updates are tested. The total amount of payments was one million two hundred thousand US dollars.
three attempts to operate vulnerabilities in Ubuntu Desktop were taken at competitions. The first and second attempt were counted and the attacking managed to demonstrate the local increase in privileges through the operation of previously not known vulnerabilities associated with the buffer overflow and the double memory release (in which components the problem is not yet reported, until the data disclosure, the developers are given 90 days to correct error correction). For these vulnerability, prizes of 30 thousand dollars are paid.
The third attempt done by another team in the category Local exceeding privilege, was only partially – the exploit worked and made it possible to access ROOT, but the attack was not fully credited, since the error-related error was already known to developers Ubuntu and update with correction It was at the preparation stage.
Successful attack has also been demonstrated for browsers based on the Chromium – Google Chrome and Microsoft Edge. For the creation of an exploit that allows you to perform your code when opening a specially decorated page in Chrome and EDGE (one universal exploit for two browsers was created), a premium of 100 thousand dollars was paid. The correction is planned Publish in the coming hours, while only the fact that vulnerability is present in the process that is responsible for processing Web content (renderer ). The nomination for hacking Firefox remained unclaimed.
Other Successful Attacks:
- 200 thousand dollars for a hacking application Zoom ( managed By performing your code by sending a message to another user, without the need to make any actions from the recipient). For attacks used three vulnerabilities in ZOOM and one in the Windows operating system.
