Chinese security researchers were able to successfully discover zero-day vulnerabilities in Apple Safari, Windows 10, Google Chrome, Linux and others at the recently held hacking competition in the city of Chengdu in China.
The hacking contest held over last weekend – October 16 and 17 – saw China’s top hackers take part in the Tianfu Cup 2021 International Cyber Security Competition – the country’s top hacking competition – to test some of the world’s popular software products and operating systems.
For those unaware, prior to 2018, Chinese experts had successfully dominated Pwn2Own, the world’s largest hacking contest, by winning the competition years in a row.
However, in the spring of 2018, the Chinese Government prohibited Chinese white hat hackers from taking part in international hacking competitions. As a result, the Chinese government came up with their own, Tianfu Cup, China’s answer to Pwn2Own, for local security researchers to test their skills against popular software and hardware.
This year’s edition included a list of 16 possible targets (see below), of which 13 targets were successfully exploited.
- Apple Safari
- Google Chrome
- Windows 10
- Microsoft Exchange Server 2019
- Adobe PDF Reader
- Ubuntu 20/CentOS 8
- Docker CE
- VMware Workstation
- VMware ESXi
- Parallels Desktop
- iPhone 13 Pro running iOS 15
- ASUS Router AX56U
- Ubuntu + qemu-kvm
- Synology DS220j
- Domestic mobile phones (Android)
- Domestic New Energy Vehicles
The only ones that were not exploited were Synology DS220j, Xiaomi Mi 11 smartphone, and an unnamed Chinese electric vehicle.
At the end of the tournament, researchers from Chinese security firm Kunlun Lab won the competition by hacking iPhone 13 Pro running iOS 15 through a vulnerability in the Safari mobile browser in just 15 seconds.
The Kunlun Lab researchers also successfully pwned Google Chrome “to get Windows program kernel amount privilege with only two bugs,” Kunlun Lab’s CEO @mj0011 tweeted. The researchers earned a total prize money of $654,500.
Team PangU, who is known for jailbreaking mobile phones since 2014, stood second for remotely jailbreaking into an iPhone 13 Pro running iOS 15.
The team won $522,500 in the contest and became the first group to successfully carry out a remote attack on the newly released iPhone at a public forum. Further, the Vulnerability Investigate Institute (VRI) came third with $392,500.
No details of the flaws have not been made public, but patches for the newly discovered vulnerabilities are expected to be released in the upcoming weeks.