PWN2OWN Day Two – Chrome and Safari join the losers


Yesterday, we wrote up the half-time scores at the PWN2OWN 2014 competition at CanSecWest in Vancouver, Canada.

On Day One, six of seven planned attack attempts were successful, with only Oracle Java remaining unbroken.

On Day Two, the results were nearly as good (or bad, if you were the products), with 5.6 out of eight attacks hitting their targets.

That curious looking “5.6” is because Chrome was pwned twice, but the competition umpires deemed that 40% of one of the attacks was not original, albeit that the vulnerability used was not patched and the attack succeeded.

Only one attack that was actually attempted ended in failure, with IE 11 holding up against Jung Hoon Lee of ASRT.

The other unsuccessful attack on Day Two was Vupen’s attempt at Safari on OS X, which was abandoned altogether.

Here’s what happened on Day Two:

The combined results over the two days are as follows, sorted by payout:

The sponsors ended up paying out $850,000 of the $1,085,000 prize money pool.

In addition, a Sponsor versus Sponsor challenge, PWN4FUN, resulted in two successful attacks, and a combined donation of $82,500 to the Canadian Red Cross.

PWN4FUN took place on Day One, in the two hours before the competition proper got under way, with experts from HP and Google facing off in some community-spirited competitive hacking.

Google’s hackers broke out of Safari, and HP’s crew managed to escape from IE 11.

Of course, both teams ran the operating system’s built-in Calculator app – de rigueur when you are demonstrating remote code execution – but HP’s hackers added an amusing and theatrical touch by opening the Windows CALC.EXE program in Scientific Mode.

The Googlers, too, went over and above the call of duty, and ended up with the OS X calculator running as root.

That means they achieved remote code execution and privilege escalation: the most desirable sort of exploit to a crook, and the most worrying to a system administrator.

→ There are still OS X threat deniers out there who tell us that they consider malware in its traditional sense to be impossible on OS X, “because you have to click on and run a program by yourself and then type your admin password into the warning popup.” But as Google’s hacking crew just showed, a determined attacker can sidestep both of those giveaways when launching malware.

Big winners Vupen aimed high, entering to take on all seven products, and succeeding five times.

They will return to France with a tidy $400,000 – just a shade under half of the total payout.

Even if they have to pay French VAT and company tax, at rates of roughly one-fifth and one-third respectively, they should still net about $251,000 – a cool quarter million.

Not bad for five 30-minute passages of play!

Of course, like winning the Superbowl final, or lifting the FIFA World Cup, there was a lot more that went into the Vupen team’s success than just the final public proof of concept.

So, just how much work did go on behind the scenes to put Vupen’s attackers into a position from which they could pull in that sort of money in two days?

The company isn’t saying.