Taking part in Pwn2Own has now become a regular feature on the Pentest calendar and it is an event we look forward to every year, giving us the opportunity to compete against some of the most experienced, and talented, research groups in the world.
Our very own Director of Research, Sam Thomas, has competed in the two recent Pwn2Own events and has had some amazing results. With that in mind, we wanted to give you a glimpse into the goings on behind the scenes and tell you (well, as much as we can) about his successes.
Pwn2Own – The Overview
For those of you who do not know, Pwn2Own is a hacking competition that is run by the Zero Day Initiative (ZDI), with each competition focusing on specific types of software or devices.
A few months before the competition, a list of targets is released by the organisers and researchers have until the set deadline to investigate the targets thoroughly, looking for security vulnerabilities within them. If an exploit is found, researchers then submit a detailed whitepaper explaining their findings and provide detailed instructions on how to run them. All eligible entries are then scheduled to demonstrate their exploits during the live event.
Applicants are drawn into random lots to demonstrate their findings live at the competition and if they can successfully demonstrate their exploit, and it is confirmed that the exploit has never been seen before, then they earn a cash prize and ‘Master of Pwn’ points. Points throughout the competition are added together and the team/participant with the most points at the end takes the overall Master of Pwn title and trophy.
Once demonstrated, exploits are confidentiality disclosed and the competition organisers work directly with the manufacturers to develop security patches.
Pwn2Own Austin 2021
Pwn2Own Austin focuses on consumer devices such as mobile phones, smart TVs, home automation, and storage devices, to name a few. From the list of devices released in August 2021, Sam chose to concentrate his efforts on two, the Western Digital My Cloud Pro Series PR4100 NAS and the Samsung Galaxy S21 mobile phone.
So, how did Sam get on against these devices?
Western Digital My Cloud Pro Series PR4100 NAS
Sam has previous with the Western Digital NAS, having attempted to exploit it during Pwn2Own Tokyo 2021, but only gaining partial success due to another team demonstrating part of the exploit before him. Being familiar with the device and its software, this year we were determined to go one better and achieve a full successful exploit (which would be our first full success at Pwn2Own!)
Luckily, Sam was drawn first on this device (in fact, we opened the competition) and was able to successfully demonstrate a 3-bug chain that included an unsafe redirect and a command injection to achieve code execution.
The prize: $40K and 4 Master of Pwn points.
Samsung Galaxy S21
Pwn2Own used to run a dedicated competition called Pwn2Own Mobile and we always wanted to give it a go. However, with that event long gone, Pwn2Own Austin was now our best chance to see what we could achieve in the mobile phone category.
The research process was a daunting one and we reviewed previous entries with public blogs, focussing our efforts on the approaches which suited our skillset. The going was tough, and whilst we did find an exploit, we believed it would only be considered a partial win due to limitations in our attack technique. But, with a week to go, Sam overcame those limitations, and we were confident we had something that could give us a full win.
Sadly, the luck of the draw was not with us on this one, and we were drawn 3rd out of 3 entries to demonstrate our exploit on the device. Chances were another team would demonstrate our exploit, or at least part of it, before us and we may only get a partial win, or potentially nothing at all. We just had to hope.
The first team to have a go failed to successfully demonstrate their exploit in the allotted time and the second attempt was only classed as a partial win – the vendor already had knowledge of the vulnerability exploited. There was a chance we could still get a full win.
Our first attempt (you get 3 attempts) did not completely succeed, but after a few nervous minutes the exploit completed on our 2nd attempt. Then it was another nervous wait to see if our exploits were truly zero days.
Thankfully, they were, and it was confirmed that we had successfully used a unique three-bug chain to compromise the Samsung Galaxy S21.
The prize: $50,000 and 5 points towards Master of Pwn. Taking our total to $90K and 9 Master of Pwn points (earning Sam 4th place in the overall competition!)
The aftermath
Pwning a well-known device such as the Samsung S21 certainly grabs the attention, so it was amazing to see Sam’s Pwn2Own exploits being featured in articles by publications such as Forbes, ITPro, and Bleeping Computer, just to name just a few.
Pwn2Own Miami 2022
Pwn2Own Miami is an ICS (Industrial Control System) based event with categories including Control Server, OPC Unified Architecture (OPC UA) Server, Data Gateway & Human Machine Interface (HMI). From the list of targets, Sam decided to focus his efforts on the Control Server category and Inductive Automation Ignition.
In his research, Sam managed to discover three 0day vulnerabilities which could be chained together to achieve RCE (Remote Code Execution) against Inductive Automation Ignition.
Luckily, Sam was drawn first on the target and only had to hope that his exploits worked correctly on the day. Thankfully, they ran as planned, netting him a full win, $20k in prize money and 20 Master of Pwn points.