Pwn2Own 2014 which started today at Vancouver, Canada has already had a record payout of $482,000. Out of this $400,000 was paid to security research firms and individuals in the competition section and remaining $52,000 was paid to charity in the sponsor only category. Safari, Firefox, Internet Explorer, Adobe Flash and Reader were the products in which the competitors found vulnerabilities and were awarded. Most of the money awarded on the first day went to a France based security research firm, VUPEN. VUPEN’s researcher managed to put up a total of four ‘Proof of Concepts’ for vulnerabilities.
The important aspect of this years Pwn2Own 2014 was that most of the competitors were able to ‘PWN’ or demonstrate their exploits in 5 minutes flat. The standard period allowed to the researchers to prove their concept is 30 minutes. As stipulated in the primary conditions, as soon as the researchers demonstrated the exploits, they headed to the disclosure room where they presented the details of their exploits to vendors.
The vulnerabilities proved out by Team VUPEN are as follows :
Against Adobe Flash, a use-after-free with an IE sandbox bypass resulting in code execution.
Against Adobe Reader, a heap overflow and PDF sandbox escape, resulting in code execution.
Against Microsoft Internet Explorer, a use-after-free causing object confusion in the broker, resulting in sandbox bypass.
Against Mozilla Firefox, a use-after-free resulting in code execution.
They were able to find out a use-after-free with an Internet Explorer sandbox bypass in Flash. The issue can be exploited to execute arbitrary code. A heap overflow and PDF sandbox escape in Adobe reader also resulted in code execution. The other flaw that VUPEN experts were able to find out was also a use-after-free that can be leveraged for code execution in Firefox. The Microsoft’s latest Internet Explorer 11 Browser was also found to be vulnerable by Team VUPEN. They managed to bypass the sandbox in Internet Explorer 11 on Windows 8.1 with a use-after-free vulnerability that causes object confusion in the broker. For finding the above vulnerabilities, the Team VUPEN researchers have been rewarded with a total of $300,000.
Other security researchers who also managed to hog the limelight and grab awards on the first day of Pwn2Own 2014 were Jüri Aedla and Mariusz Mlynski.
Adela was able to find the following vulnerability in Firefox and was rewarded $50,000.00 for his efforts.
Against Mozilla Firefox, an out-of-bound read/write resulting in code execution.
While Mlynski found out two security holes in Mozilla Firefox and got $50,000 for his efforts.
Against Mozilla Firefox, two vulnerabilities, one allowing privilege escalation within the browser and one bypassing browser security measures.
The charity function was organised under the banner of Pwn4Fun which was sponsored by TippingPoint’s Zero Day Initiative (ZDI) and Google. Experts from Google and ZDI presented their exploits under Pwn4Fun and a total of $82,500 was been donated to the Canadian Red Cross.
The news from the first day was that nobody was able to find any vulnerability in Google’s Chrome. Tomorrow is the last day of Pwn2Own 2014 and Chrome is expected to escape unbroken.
Resource : Pwn2Own 2014