Pwn2Own 2019 – Apple Safari, VirtualBox, VMware Hacked – Ethical Hackers Earned $240,000 by Submitting Zero-day’s

Trend Micro’s Zero Day Initiative (ZDI) vulnerability research contest
Pwn2Own 2019 Successfully started its first-day contest and the team of researchers earned $240,000 in the first day alone for the successful zero-day Submissions.

Trend Micro announced $1 million in cash and prizes through the contest for the researchers who submit the zero days the specific platform including virtualization platforms, enterprise applications, web browsers, and more.

List of Targets in Pwn2Own 2019

• Automotive Category
  • Tesla Model 3
• Virtualization Category
  • Oracle VirtualBox
  • VMware Workstation
  • VMware ESXi
  • Microsoft Hyper-V Client
• Browser Category
  • Google Chrome
  • Microsoft Edge
  • Apple Safari
  • Mozilla Firefox
• Enterprise Applications Category
  • Adobe Reader
  • Microsoft Office 365
  • Microsoft Outlook
• Server-side Category
  • Microsoft Windows RDP

Last year, Overall ZDI awarded $325,000 USD total over the two-day contest and they purchasing 18 0-day exploits.

This year’s contest, ZDI also introduced an automotive category, through a partnership with Tesla, as well as a continued partnership with Microsoft and sponsorship from VMware same as last year.

Unlike last year, this year Pwn2Own 2019 contest conducted for 3 days (20,21,22 March 2019) in which first and the second day opens for software vendors and all automotive entries will be on Day Three (March 22)

Pwn2Own 2019 – Day 1

On the very First day, a team called Fluoroacetate alone earned $160, 000 USD for the successful submission of 3 zero days.

Initially, they used a bug in JIT with a heap overflow to escape the sandbox in Safari browser and earned $55, 000 along with 5 Master of Pwn points.

The second target was Oracle VirtualBox in the virtualization category, in which they exploit integer underflow and a race condition to escape Virtual machine and they earned another $35,000  with 3 Master of Pwn points

“Third target was VMware and they leveraging a race condition leading to an out-of-bounds write in the VMware client to execute their code on the host OS”

In this case, Fluoroacetate rewarded another $70,000 and 7 more Master of Pwn points and they closed their day was closed.

Another Researcher anhdaden targeting Oracle VirtualBox in the virtualization category and he submitted integer underflow zero day exploit in Oracle VirtualBox.

In his first Pwn2Own, he earns himself $35,000 USD and 3 Master of Pwn point.

Next team Phoenhex & qwerty (@_niklasb @qwertyoruiopz @bkth_)
targeting Apple Safari and day 1 ends with a partial win $45,000 and 4 points towards Master of Pwn.

So totally $240, 000 USD rewarded in the first day alone. Stay Tuned, we keep updates the remaining 2 days results with the complete details.

Also, you can take this online Course Bundle to learn Mastery Web Hacking & Bug Bounty

Related Read