Two researchers earned $200,000 on the second day of the Pwn2Own 2021 hacking competition for a Zoom exploit allowing remote code execution without user interaction.
The exploit, demonstrated by Daan Keuper and Thijs Alkemade from Computest, involves three vulnerabilities and it works on the latest versions of Windows 10 and Zoom. In the demo at Pwn2Own, the victim saw a meeting invitation from the attacker, but the victim didn’t actually have to click anything to trigger the code execution.
If attempts to hack the Parallels virtualization product failed on the first day, on the second day, Jack Dates from RET2 Systems and Sunjoo Park (aka grigoritchy) earned $40,000 each for executing code on the underlying operating system through the Parallels Desktop application.
There were also two successful attempts to escalate privileges on Windows 10 and one successful privilege escalation exploit on Ubuntu. These earned participants $40,000 and $30,000, respectively.
Team Viettel attempted to hack Microsoft Exchange, but their exploit leveraged a vulnerability that was used earlier in the competition so their attempt counted as a partial win.
On the first day of Pwn2Own 2021, participants earned $570,000, including $440,000 for exploits targeting Microsoft products (Teams, Exchange and Windows). According to Trend Micro’s Zero Day Initiative (ZDI), which organizes the competition, it’s the first time more than one million dollars have been paid out in total at Pwn2Own, and there are still several more attempts scheduled for the last day of the event.
The hacking attempts scheduled for the third day of Pwn2Own will target Parallels, Exchange, Ubuntu, and Windows 10.
UPDATE: Zoom has reached out to SecurityWeek to provide the following statement:
“We thank the Zero Day Initiative for allowing us to sponsor and participate in Pwn2Own Vancouver 2021, an event highlighting the critical and skillful work performed by security researchers. We take security very seriously and greatly appreciate the research from Computest. We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target’s same organizational account. As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center.”
Related: Researchers Earn $280,000 for Hacking Industrial Systems at Pwn2Own Miami
Related: Routers, NAS Devices, TVs Hacked at Pwn2Own Tokyo 2020
Related: NETGEAR Router, WD NAS Device Hacked on First Day of Pwn2Own Tokyo 2020
Related: Researchers Hack Windows, Ubuntu, macOS at Pwn2Own 2020