The second and final day of Pwn2Own 2015 saw successful exploits by both entrants against four products, with each going after multiple targets and collecting a total of $240,000.
This brings the two-day payout total to $557,500, not including the value of the laptops, ZDI points, and other prizes given to winning researchers.
Using ht2000 lines of code, Lee was able to take down both stable and beta versions of Chrome by exploiting a buffer overflow race condition in the browser.
Then used an info leak and race condition in two Windows kernel drivers to secure SYSTEM access. The standalone Chrome bug fetched Lee $75,000 while the privilege escalation bug scored him another $25,000. To finish it off Google’s Project Zero, as it usually does when Chrome is hacked at the event, paid Lee an extra $10,000.
After the competition, Lee, who went on to own two other browsers yesterday, told HP Security Research’s Dustin Childs that the Chrome exploit was the toughest to pull off. He told Childs via translator that not only was it was his first time writing Native Client code but it was his first time dealing with a kernel exploit.
Lee nailed Apple's Safari with a use-after-free (UAF) vulnerability involving an uninitialized stack pointer, and bypassed the sandbox to perform remote code execution on an OS X Mac. This earned him a $50,000 bonus, bringing his earnings to $225,000 for the day.
But the speed demon of the contest was a hacker using the name ilxu1a, who managed to remotely compromise Mozilla's Firefox in less than a second.
He had spotted a vulnerability by static analysis alone, rather than fuzzing, and used an out-of-bounds read/write vulnerability leading to medium-integrity code execution in the browser, and a $15,000 prize.
The final numbers for Pwn2Own 2015 are quite impressive:
- 5 bugs in the Windows operating system
- 4 bugs in Internet Explorer 11
- 3 bugs in Mozilla Firefox
- 3 bugs in Adobe Reader
- 3 bugs in Adobe Flash
- 2 bugs in Apple Safari
- 1 bug in Google Chrome
- $557,500 USD bounty paid out to researchers
While the hackers are going to be happy with the last two days, browser manufacturers and customers are going to be less pleased. But it's one of the strengths of competitions like Pwn2Own that coders can earn decent cash to find these flaws, and the rest of us save a lot of money by getting them fixed before others discover the security blunders.
