The North American Pwn2Own event has taken place alongside the annual CanSecWest security conference held in Vancouver, Canada, but this year the official host city was Austin, Texas.
Due to the pandemic situation, the hacking teams were distributed all over the world, rather than all traveling to meet in one place.
The full results for 2021 can be found on the Pwn2Own blog, including those who tried but failed, or those who tried but didn’t win any money because some part of their exploit chain was already known.
In some cases, competitors lost out because their exploits had been reported to the vendor before the competition by someone else, but not yet publicly disclosed.
On the other side, they lost out simply through the bad luck of drawing a later slot in the competition than other participants who had brought along and exploited the same bugs.
Below, we can see the money-winning entries – note that this year’s prize money totaled a very healthy $1.21 million!
- $200k for code execution on a server or messaging platform
- $100k for code execution via a browser
- $40k for breaking out of a virtualized guest OS into the host OS
- $40k for “getting root” (more properly, SYSTEM) on Windows 10
- $30k for “getting root” on Linux
Particpant Platform Pwnership level Prize ---------------------------- ------------------ ---------------- -------- DEVCORE Microsoft Exchange Server takeover $200,000 'OV’ Microsoft Teams Remote code exec $200,000 Daan Keuper/Thijs Alkemade Zoom Messenger Remote code exec $200,000 Bruno Keith/Niklas Baumstark Chrome and Edge Remote code exec $100,000 Jack Dates Apple Safari Kernel code exec $100,000 Jack Dates Parallels Desktop Escape to host $40,000 Sunjoo Park Parallels Desktop Escape to host $40,000 Dao Lao Parallels Desktop Escape to host $40,000 Benajmin McBride Parallels Desktop Escape to host $40,000 Team Viettel Windows 10 EoP to SYSTEM $40,000 Tao Yan Windows 10 EoP to SYSTEM $40,000 'z3r09’ Windows 10 EoP to SYSTEM $40,000 Marcin Wiazowski Windows 10 EoP to SYSTEM $40,000 Ryota Shiga Ubuntu Desktop EoP to root $30,000 Manfred Paul Ubuntu Desktop EoP to root $30,000 Vincent Dehors Ubuntu Desktop EoP to root $30,000 ================= TOTAL $1,210,000
There was a tenth product that was attacked in the competition, but that doesn’t show up in the list above because it remained unpwned within the allotted time: Oracle’s VirtualBox virtualization software.
You can watch recordings of all three Pwn2Own 2021 contest days below.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.