PWN2OWN 2014 - Find the "exploit unicorn" and win $150,000

Filed Under: Adobe, Adobe Flash, Apple, Apple Safari, Featured, Firefox, Google, Google Chrome, Internet Explorer, Java, Malware, Microsoft, Oracle, OS X, Vulnerability, Windows

For a while, late in 2013, things didn't look too good for the annual Vancouver-based security conference CanSecWest, or for PWN2OWN, the elite hacking sideshow at the event that has in many ways eclipsed the conference itself.

It looked as though the conference and its accoutrements might implode, sucked into a total malware perspective vortex.

In October 2013, CanSecWest founder and organiser Dragos Ruiu went public to claim that he was under a sustained attack from the world's worst-ever malware, a cybernetic Hydra that became known as #BadBIOS.

This wasn't a new or brief attack, either: Ruiu claimed that the malware had been plaguing his working environment, effectively undetected and undetectable, for three years.

It infected Windows, OS X and OpenBSD systems in an ecumenical rampage; trashed hundreds of dollars of brand new USB keys each week while Ruiu tried to grab samples for analysis; and apparently even evolved the ability to escape from isolation using ultrasound signalling.

It didn't sound too good for Ruiu or his network, but the malware now seems to have vanished without a trace, and both his reputation and his network seem to have survived the onslaught.

So there will be a CanSecWest 2014, after all, and - it has now officially been announced - another PWN2OWN.

HP, the company that bankrolls the PWN2OWN prizes, has gone public with what you can win this year, and how.

Like last year, it makes for interesting reading, if only to compare the money on offer for the various avenues of attack.

Note that the underlying platform is the 64-bit version of Windows 8.1 in all cases, unless you're taking on Apple's Safari browser.

Straight browser attacks:

Target Prize
Google Chrome $100,000
Internet Explorer 11 $100,000
Mozilla Firefox $50,000
Apple Safari (OS X Mavericks) $65,000

Attacks via Internet Explorer 11 plug-ins:

Target Prize
Adobe Reader $75,000
Adobe Flash $75,000
Oracle Java $30,000

PWN2OWN Grand Prize via IE 11 plus EMET:

Target Prize
SYSTEM-level execution $150,000

We're not sure what Mozilla's coders will make of the prize monies.

Does the $50,000 on offer for getting past Firefox's defences imply that HP thinks it's twice as easy to break into as IE or Chrome?

Or is it simply a reflection that the browser enjoys such grassroots popularity that it is likely to attract a greater number of attackers, and thus twice as likely to get pwned in time?

We shall have to wait and see!

New this year is the Grand Prize, dubbed the Exploit Unicorn by HP, presumably on account of the rarity of anyone actually finding one.

The Grand Prize offers a 50% premium over "popping" Internet Explorer 11 alone.

To scoop the $150,000, RCE, or remote code execution, is not enough.

You'll need to escape from the browser's sandbox, then to escape from EMET (the Enhanced Mitigation Experience Toolkit) - Microsoft's optional add-on sandbox inside which the browser's sandbox will be running, and then to get SYSTEM-level powers using some sort of EoP, or elevation of privilege.

You've got until 12 March 2014 to perfect your technique.

On the day, the organisers will put you in front of a laptop they've set up, and you'll have just 30 minutes to get from "go" to "whoa."

Further information

Would you like to learn more about vulnerabilities and exploits, and brush up on your RCEs, EoPs, DoSes and information disclosures?

Take a listen to our Techknow podcast that helps you cut through the jargon:


(Audio player not working? Listen on Soundcloud.)

, , , , , , , , , , , ,

You might like

2 Responses to PWN2OWN 2014 - Find the "exploit unicorn" and win $150,000

  1. That would be a yes then : )

  2. Well, I don't think the prize money reflects past performance, as Firefox has historically done better (stayed unpned longer) than IE or Safari. Chrome usually longer still. Might it reflect real-world profitibility of exploitation? I mean, install base?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog