The white-hat hacking team of Amat Cama and Richard Zhu, together known as “Flouroacetate,” took home the majority of the prize money available on the first day of this year’s Pwn2Own competition in Vancouver, demonstrating zero-day exploits against Apple’s Safari browser as well as virtualization software from Oracle and VMware.
Other winners on Wednesday included “anhdaden,” also known as Phạm Hồng Phi of Singapore-based cybersecurity company STAR Labs, who targeted the Oracle software; and the “phoenhex & qwerty” team — Bruno Keith, Niklas Baumstark and Luca Todesco — which targeted Safari. Flouroacetate won $160,000 total, while anhdaden earned $35,000 and phoenhex & qwerty claimed $45,000 in prize money.
Confirmed! @fluoroacetate leveraged a race condition leading to an out-of-bounds write to escalate from a #VMware client to execute code on the host OS. The effort brings them another $70,000 and 7 more Master of Pwn points. Their Day 1 total is $160,000 USD. pic.twitter.com/rJoGzHrUGP
— Zero Day Initiative (@thezdi) March 20, 2019
In targeting Safari, Flouroacetate used “an integer overflow in the browser and a heap overflow to escape the sandbox,” thus taking control of the browser, according to a blog post by the Zero Day Initiative (ZDI), the organization that runs Pwn2Own.
The team’s attack on Oracle VirtualBox “used an integer underflow and a race condition to escalate from the virtual client to pop calc at medium integrity,” essentially an attack on the Windows operating system’s calculator software through Oracle’s virtualization tool.
Flouroacetate’s exploit against VMware’s Workstation used “a race condition leading to an Out-Of-Bounds write to go from the virtual client to executing code on the underlying host operating system,” meaning it jumped from a virtual operating system to the one native to the machine running it.
The anhdaden attack on Oracle VirtualBox also used an integer underflow “to escalate from the virtual client to execute his code on the hypervisor at medium integrity,” but it was different from Flouracetate’s, ZDI said. The researcher is the first Vietnamese winner at Pwn2Own, ZDI said.
The phoenhex & qwerty exploit against Safari resulted in a “complete system compromise,” ZDI said, through a kernel elevation attack — essentially a manipulation of privileges that eventually allowed them to take full control of the device. The team a prize even though one of its techniques was already known to Apple, ZDI said.
More than $1 million is available to contestants at Pwn2Own, which is held annually at the CanSecWest conference in the British Columbia city.
Thursday’s slate of demonstrations includes more attacks against web browsers — this time, it’s Mozilla Firefox and Microsoft Edge.
This year’s marquee event will be on Friday, as contestants attempt to take over the computer system of a Tesla Model 3. It will be the first time Pwn2Own has included an automotive category in the competition.