Pwn2Own 2016 has come to an end, with researchers earning a total of $460,000 in cash for disclosing 21 new vulnerabilities in Windows, OS X, Flash, Safari, Edge and Chrome.
On the first day, contestants earned $282,500 for vulnerabilities in Safari, Flash Player, Chrome, Windows and OS X. On the second day, Tencent Security Team Sniper took the lead after demonstrating a successful root-level code execution exploit in Safari via a use-after-free flaw in Safari and an out-of-bounds issue in Mac OS X. The exploit earned them $40,000 and 10 Master of Pwn points.
The same team received 15 points and $52,500 for a system-level code execution exploit in Microsoft Edge via an out-of-bounds vulnerability in Edge and a buffer overflow in the Windows kernel.
JungHoon Lee (lokihardt) also managed to demonstrate a system-level code execution exploit against Microsoft Edge by using an uninitialized stack variable vulnerability in Edge and a directory traversal in Windows. The exploit earned him 15 points and $85,000, which represents the biggest cash prize awarded in a single attempt.
Lee also took a crack at Google Chrome, but his attempt failed. Tencent Security Team Shield also had a failed attempt against Adobe Flash Player.
360Vulcan Team, which occupied the first position after the first day, did not earn any additional rewards on the second day.
Overall, Tencent Security Team Sniper earned the highest number of Master of Pwn points (38), for which the team will get an extra 65,000 ZDI points (worth $25,000) in addition to the $142,500 in cash awarded for their exploits. Lee walked away with the most money as his exploits helped him get a total of $145,000.
Pwn2Own 2016 is considered a success by organizers, with a total of 21 vulnerabilities found in Windows (6), OS X (5), Flash (4), Safari (3), Edge (2) and Chrome (1). It’s worth pointing out that while the Chrome exploit demonstrated by 360Vulcan Team worked, it’s considered only a partial success as the Chrome flaw they leveraged had been previously reported to Google.
The exploits demonstrated at Pwn2Own 2016, all of which achieved system or root privileges for the first time in the competition’s history, are concerning for the state of kernel security.
“As ZDI researcher Jasiel Spelman noted, researchers and attackers are likely focusing on the kernel in response to advances in sandboxing. It’s a truism in security that when you harden one area, attackers and researchers will move their attention to another one,” explained Christopher Budd, global threat communications manager at Trend Micro. “Based on Pwn2Own 2016, it appears that’s happening with a shift to focus on the kernel. This is also borne out by what we’re seeing in Linux lately: while Linux is outside the focus of Pwn2Own, we’ve seen a number of Linux kernel issues lately.”
Pwn2Own 2016 is the first edition of the hacking contest where researchers have been invited to escape a VMware virtual machine for a bonus of $75,000. However, none of the participants demonstrated a successful exploit in this class.
It’s worth noting that this year’s contestants earned nearly $100,000 less for their exploits compared to Pwn2Own 2015, when researchers walked away with more than $550,000.