Confirmed! @5aelo used a JIT optimization bug in the browser, a macOS logic bug, & a kernel overwrite to execute code to successfully exploit Apple Safari. This chain earned him $65K & 6 points Master of Pwn points. pic.twitter.com/iLfNFnXzzs
— Zero Day Initiative (@thezdi) March 15, 2018
On day two, (March 15, 2018) Richard Zhu made a comeback by hacking Firebox browsing using out-of-bounds read flaw vulnerability and an integer overflow in the Windows kernel to pop FireFox and execute his code with elevated privileges.
More: Come and Take a Hit, if you Dare! Declares the Pentagon
More: Mobile Pwn2Own: Hackers pwn iPhone, Huawei, Galaxy and Pixel Phone
More: Safari, Ubuntu Linux, Edge, and Adobe Reader, Hacked At Pwn2Own 2017
For hacking Firefox, Zhu received a whopping amount of $50,000 prize money as well as the Master of Pwn award. In total, Zhu was able to earn $120,000 from his Microsoft’s Edge and Firefox browser hacks.
Congrats to @RZ_fluorescence on being named Master of Pwn for #Pwn2Own 2018! His exploits for Edge and Firefox earned him $120,000, this sweet jacket, and the trophy. We hope he returns in the future to defend his title. pic.twitter.com/ljKhmjJrHn
— Zero Day Initiative (@thezdi) March 16, 2018
Then came in Markus Gaasedelen, Nick Burnett and Patrick Biernat of Ret2 Systems, Inc. who targeted Apple Safari with a macOS kernel EoP. However, according to Pwn2Own rules, hackers must demonstrate successful hack within three attempts but in this case, the team was able to do so on the fourth attempt.
Ret2 Systems could not win any prize money but Pwn2Own purchased and disclosed the bugs to Apple through our normal process.
The last team to try their luck at Pwn2Own was MWR Labs whose hackers Alex Plaskett, Georgi Geshev, and Fabi Beterke targeted Apple Safari with a sandbox escape. The team leveraged a heap buffer underflow in the browser and an uninitialized stack variable in macOS to exploit Safari and escape the sandbox. In doing so, they earned $55,000 and 5 Master of Pwn points.
In total, organizers awarded $267,000 for the two-day contest whereas hackers discovered one Mozilla bug, two Oracle bugs, four Microsoft bugs and five Apple bugs. In the next step, the organizers will reach out to the targeted vendors with the security flaws discovered during Pwn2Own 2018.
Based Blockchain Network