The Results of Pwn2Own 2012

Pwn2Own 2012 has concluded with Chrome, Internet Explorer, and Firefox all being compromised. Apple’s Safari was the only browser to be left standing in the competition that annually takes place at the CanSecWest Applied Security Conference and is sponsored by HP’s TippingPoint Zero Day Initiative.

The browsers are running as the latest, fully patched versions on Windows 7 or Mac OS X Lion. First, second, and third places are available with prizes of $60k, $30k, and $15k respectively. In tradition of the contest, 3 laptops were also offered to supplement the cash prizes. The rules were changed up this year to make the competition more fair so all had a fair chance to show their exploit instead of just the first three successful in a lottery-type order. Additional points were available by exploiting stated public vulnerabilities. In addition to the official competition winnings, Google offered additional funds to further entice vulnerability information as Chrome went unchallenged last year.

  • Full Chrome pwn: uses only bugs in Chrome itself to gain full unsandboxed code execution. $20,000 USD per fully disjoint bug set.
  • Partial Chrome pwn: uses bugs in Chrome and bugs in the operating system to gain full unsandboxed code execution. $10,000 USD per fully disjoint bug set.
  • “Non-Chrome pwn”: uses only OS bugs for the pwn. e.g. Windows kernel font parsing vulns, driver vulns, $0 USD (not eligible).

The results of the competition are listed over on the Pwn2Own site and demonstrated exploits were announced on Twitter @Pwn2Own_Contest. In order, Pwn2Own:

“Congratulations to @VUPEN for taking down #Chrome during the first 5 minutes of #Pwn2Own! They have been awarded 32 points.”

@Vupen just showed a working exploit for CVE-2011-3346 written 20 minutes. Another 10 points for them!”

“less than 4 hours into the #pwn2own challenges and @Vupen wrote a nice exploit for CVE-2009-3077. Current status for them: 2 down, 6 to go”

“Another CVE exploited: CVE-2011-0115 for Safari popped a nice App.Calc, another 10 points for @Vupen

@Vupen just demonstrated a 0Day for Internet Explorer including a Protected Mode bypass. IE9 on W7 completely owned. #pwn2own

“Team @_snagg and @_dvorak_ have just demonstrated exploits for CVE-2011-0115, CVE-2010-0050 and CVE-2010-2752 and gained 24 points. #pwn2own

“Congratulations to @_snagg and @_dvorak_ for successfully pwning the latest Firefox at #Pwn2Own! They’ve gained 32 points.”

With the final listing as:

VUPEN: 123 Points

0Day (32 Points each)

  • Google Chrome: Full sandbox escape and code execution
  • Microsoft Internet Explorer: Protective Mode Bypass and code execution

CVE Challenge (10/9/8 Points each, depending on the day)

  • CVE-2010-3346 (Internet Explorer)
  • CVE-2009-3077 (Firefox)
  • CVE-2011-0115 (Safari)
  • CVE-2010-0050 (Safari)
  • CVE-2010-0248 (Internet Explorer)
  • CVE-2010-2752 (Firefox)

Willem & Vincenzo: 66 Points

0Day (32 Points each)

  • Mozilla Firefox: Full code execution

CVE Challenge (10/9/8 Points each, depending on the day)

  • CVE-2010-3346 (Internet Explorer)
  • CVE-2011-0115 (Safari)
  • CVE-2010-0050 (Safari)
  • CVE-2010-2752 (Firefox)

Only two teams competed this year. There has not been evidence of it but perhaps the lack of participation was due to this year’s rule change. Team VUPEN handily won the competition this year. Threatpost talked to Chaouki Bekrar of VUPEN about the contest and it makes for an interesting read. You should also check out their write-up of the IE9 vulnerability.

In a separate competition, Google is running Pwnium – a million dollars offered in exchange for Chrome exploits. With $60k rewarded per exploit, only one person submitted an exploit. Sundar Pichai of Google announced the first submission on Google+ and announced that an update has already been pushed out to Chrome users the following day.

Update: Just before Google’s Pwnium ended, a second exploit was submitted. Another person won $60k using 3 bugs to escape the Chrome sandbox. Wired Magazine has a good write-up of Pinkie Pie, the teen who submitted the bug.

Categories : Security
Posted by Jason Hamilton | March 9, 2012  |  No Comment

Leave a Comment