Pwn2Own 2021 kicked off this week with successful attempts against Apple's Safari browser and Microsoft Teams, Microsoft Exchange, and Windows 10 on the first day of competition.
This year's event is distributed among various locations and is one of the largest in Pwn2Own history, according to Trend Micro's Zero Day Initiative. Twenty-three separate entries will target 10 products in the categories of Web Browsers, Virtualization, Servers, Local Escalation of Privilege, and Enterprise Communications, the event's newest category.
On the first day of this year's event, the Devcore team combined an authentication bypass and local privilege escalation to take over Microsoft Exchange in the Server category. The success earned the team $200,000 and 20 Master of Pwn points.
In the Enterprise Communications category, a researcher who goes by OV demonstrated code execution on Microsoft Teams with a pair of vulnerabilities, earning himself $200,000 and 20 points toward Master of Pwn.
Team Viettel targeted Windows 10 in the Local Escalation of Privilege category. The team used an integer overflow in Windows 10 to escalate from a regular user and achieve system privileges, earning $40,000 and 4 points toward Master of Pwn.
Jack Dates of RET2 Systems targeted Safari in the Web Browser category, using an integer overflow in Safari and an OOB Write to get kernel-level code execution. In doing so, he earned $100,000 and 10 Master of Pwn points.
Later in the week, Pwn2Own participants will make additional attempts at targeting Microsoft Exchange Server, Windows 10, Zoom, Ubuntu Desktop, and other targets.
Read the full first day results and Pwn2Own schedule here.