Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/25/2018
06:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

This Year's Pwn2Own Hackfest Will Offer Up to $2 Million in Rewards

Microsoft is a partner at annual contest for the first time.

In a sign of just how much value software vendors have begun attaching to crowdsourced security research, up to $2 million will be up for grabs at the Pwn2Own challenge at the CanSecWest conference in Vancouver, Canada, this March.

The amount is the highest ever offered in rewards at the annual hacking contest. It reflects contributions from VMware and Microsoft, which for the first time will participate as a partner at the event, along with Trend Micro's Zero Day Initiative (ZDI).

Also for the first time, the Pwn2Own contest will offer a Windows Insider Preview challenge in which participants will have an opportunity to take a crack at prerelease versions of Windows products configured by Microsoft and running on the company's hardware.

The challenge will use the Windows 10 RS4 (Redstone 4) Insider Preview build as the base platform and give bug hunters an opportunity to match their wits against some of Microsoft's flagship security technologies.

"Microsoft has been a target before, but they have never participated as a partner," says Dustin Childs, communications manager for ZDI. "We're excited to have Microsoft as a partner and VMware as a sponsor for this year's event. It shows vendors recognize the value provided by the contest," he says.

The annual Pwn2Own contest has become something of an annual pilgrimage for many security researchers from around the world. The event provides an opportunity for them to essentially win rewards for hacking into widely used technology products using previously unknown exploits. Bugs and exploits that are uncovered in target products at the event are sold or shared with the respective security vendors.

Last year, security researchers, many of whom worked in teams, collected over $830,000 in total payouts for discovering various exploits in target products such as VMware Workstation, Microsoft Edge, Google Chrome, Microsoft Hyper-V, and Mozilla's Firefox. Researchers participating at the event uncovered a total of 51 different zero-day vulnerabilities.

Since Pwn2Own launched in 2007 it has gotten progressively bigger, more formal, and more challenging for hackers. For some vendors the event is a testing ground of sorts for their products and an opportunity to discover security issues in their products before attackers exploit the flaws.

From initially focusing on Web browsers and operating systems, Pwn2Own has broadened to include multiple technologies such as virtualization, cloud, and mobile. Contestants these days need to do a lot more than just find a single vulnerability to win money. Rewards typically require researchers to string together multiple exploits.

"The first Pwn2Own required just one vulnerability to exploit an Apple Macbook," says Childs. "A successful entry this year will require multiple exploits, sandbox escapes, mitigation bypasses, and other advanced techniques. In other words, it's much more difficult."

This year's event offers contestants targets in five separate categories: virtualization, enterprise applications, Web browsers, servers, and Windows Insider Preview.

This March's Pwn2Own event expands the virtualization category by adding Oracle's VirtualBox as a target for contestants. The three challenges that Microsoft will offer as part of its Windows Insider Preview Challenge are also new.

Award amounts in the various categories vary depending on the target and level of difficulty.

For instance, contestants who can successfully execute a certain type of attack against Microsoft's Hyper-V client can earn up to $150,000 in the virtualization category. A successful sandbox escape exploit on Google Chrome can fetch $60,000, while a Windows Kernel Escalation of Privilege exploit on Edge can garner $70,000. Rewards are higher for server exploits, at $100,000, while any team that can pull off a complete Hyper-V escape in kernel or hypervisor mode can make $250,000.

"This year's largest awards are reserved for guest-to-host escapes in their various forms," Childs notes.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/29/2018 | 6:19:43 PM
$2M?
This is good in my view, contesters may identify unknow vulnerability, I am glad Microsoft is part of it.

 
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/29/2018 | 11:07:58 AM
Re: The rewards of virtue?
@JoeS: Could well be - but possibilities, probabilities and particulars of the M/S issue don't change the fact that we have greatly expanded, and motivated, sets of eyes examining functional code, looking for ways it could be used perversely.  That "...multiple different groups of researchers had independently discovered those flaws all around the same time...", only reinforces that point.  

Yes, that some dark intentioned individual or entity had discovered the opportunity is possible; and if they have/are/plan to use it, the strong probability is that they wouldn't be obvious about it.  Also, if they found it, they must have had an incentive to look for something like it - and they could only have been encouraged in their efforts by similar "successes" in finding vulnerabilities by others.

Probabilities aside, the vulnerability underlying M/S was found and made known by researchers.  That they were well intentioned doesn't alter the fact that the results have been disruptive and costly.  The intent of the researchers has proven as irrelevant as that of programmers and chip designers. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/28/2018 | 7:43:49 PM
Re: The rewards of virtue?
@BrianN: Actually, multiple different groups of researchers had independently discovered those flaws all around the same time, as Wired recently wrote about (along with the general phenomenon). This strongly suggests either that (1) at least some malfeasor(s) out there had already discovered it or (2) there was a substantial probability that "bad guys" were about to discover it anyway.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/28/2018 | 11:18:47 AM
The rewards of virtue?
Perhaps too many are missing the point: intent doesn't exist in code or circuitry, any more than there's an intrinsic difference between instructions and data in binary sequences - it was that realization that enabled a quantum step forward in digital processing.  It was that same realization that gave bad actors the idea to hide malicious code in digital images, or other "data values".

Malware is just software - which can be used to do bad things; and what's bad or good will always be a judgement call. 

With bug-bounties, and hackfests, you're offering rewards (money or status), for finding new ways to refactor the code/data that exists and is necessary for the functionality of processors, operating systems and application software - ways to turn that functionality against us. 

That rewards have been issued in the past confirms that that there were latent opportunities for malware discovered; and we have every reason to believe that more will be discovered, as pursuits and pursuers become more numerous and capable. 

Of course, the expectation is that vulnerabilities will be uncovered by the good guys; and closed before the bad guys can exploit them.  But consider what happens when the discoveries leak out before the mitigations and fixes are ready; with systems that aren't (can't/won't be), updated; with vulnerabilities within intrinsic functionality of underlying processes; or all of the above - as is the case with the Meltdown/Spectre vulnerabilities, which had lain undiscovered and unexploited until....
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2018 | 4:55:21 PM
Re: Exploit hunting for fun and profit?
@Brian: More lamentably, remember Easter Eggs? They are not often to be found anymore -- and Microsoft reportedly did away with them in Office, etc. -- because of security woes.

My favorite, I think, was one in SimCity 2000 that resulted in a very excellent (IMHO) joke being scrolled up the screen.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/26/2018 | 3:52:53 PM
Exploit hunting for fun and profit?
Remember when  a programming "bug" was first rebranded as "an undocumented feature"?  That was a clever way to spin a half-truth.  Neither hardware nor software know anything of intentions; they mechanically follow the logic of their design - not the logic (valid or otherwise), of their designers.

Without denying the positives of cybersecurity research (and researchers), we should also look at the negative consequences, both realized and unanticipated. 

Bug hunters aren't looking for a programming mistake that renders some text pink rather than red; they are looking for either unintended functionality, or combinations of purposed features, which might be used by those with bad intensions - in other words: they are looking for the exploitable.  Is it always a good thing, that they find it? 
<<   <   Page 2 / 2
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.