Pwn2Own 2016 — podsumowanie 1. dnia

Poniżej krótkie podsumowanie 1. dnia konkursu Pwn2Own 2016.

1. JungHoon Lee (lokihardt): Demonstrated a successful code execution attack against Apple Safari to gain root privileges. The attack consisted of four new vulnerabilities: a use-after-free vulnerability in Safari and three additional vulnerabilities, including a heap overflow to escalate to root. This demonstration earned 10 Master of Pwn points and US$60,000.
2. 360Vulcan Team: Demonstrated a successful code execution attack against Adobe Flash using a Flash confusion bug with use-after-free vulnerability in the Windows Kernel to run code in the SYSTEM context. This demonstration earned 13 Master of Pwn points and US$80,000.
3. Tencent Security Team Shield (PC Manager and KeenLab): Demonstrated a successful code execution attack against Apple Safari to gain root privileges using two use-after-free vulnerabilities, one in Safari and the other in a privileged process. This demonstration earned 10 Master of Pwn points and US$40,000.
4. 360Vulcan Team: Demonstrated a successful code execution attack against Google Chrome in the SYSTEM context. The attack used four vulnerabilities: two use-after-free vulnerabilities in Adobe Flash, one use-after-free vulnerability in the Windows Kernel and an out-of-bounds vulnerability in Google Chrome. This was a partial win due to the Google Chrome vulnerability being a duplicate of a previous, independent report to Google. This demonstration earned 12 Master of Pwn points and US$52,500.
5. Tencent Security Team Sniper (KeenLab and PC Manager): Demonstrated a successful code execution attack against an out-of-bounds vulnerability in Adobe Flash that use an infoleak vulnerability and a use-after-free vulnerability in the Windows Kernel to achieve SYSTEM context. This demonstration earned 13 Master of Pwn points and US$50,000.
6. Tencent Xuanwu Lab: Adobe Flash in Microsoft Edge: This attempt failed.