Wednesday, December 6, 2023

Pwn2Own 2019 – Apple Safari, VirtualBox, VMware Hacked – Ethical Hackers Earned $240,000 by Submitting Zero-day’s

Trend Micro’s Zero Day Initiative (ZDI) vulnerability research contest
Pwn2Own 2019 Successfully started its first-day contest and the team of researchers earned $240,000 in the first day alone for the successful zero-day Submissions.

Trend Micro announced $1 million in cash and prizes through the contest for the researchers who submit the zero days the specific platform including virtualization platforms, enterprise applications, web browsers, and more.

List of Targets in Pwn2Own 2019

  • Automotive Category
    • Tesla Model 3
  • Virtualization Category
    • Oracle VirtualBox
    • VMware Workstation
    • VMware ESXi
    • Microsoft Hyper-V Client
  • Browser Category
    • Google Chrome
    • Microsoft Edge
    • Apple Safari
    • Mozilla Firefox
  • Enterprise Applications Category
    • Adobe Reader
    • Microsoft Office 365
    • Microsoft Outlook
  • Server-side Category
    • Microsoft Windows RDP

Last year, Overall ZDI awarded $325,000 USD total over the two-day contest and they purchasing 18 0-day exploits.

This year’s contest, ZDI also introduced an automotive category, through a partnership with Tesla, as well as a continued partnership with Microsoft and sponsorship from VMware same as last year.

Unlike last year, this year Pwn2Own 2019 contest conducted for 3 days (20,21,22 March 2019) in which first and the second day opens for software vendors and all automotive entries will be on Day Three (March 22)

Pwn2Own 2019 – Day 1

On the very First day, a team called Fluoroacetate alone earned $160, 000 USD for the successful submission of 3 zero days.

Initially, they used a bug in JIT with a heap overflow to escape the sandbox in Safari browser and earned $55, 000 along with 5 Master of Pwn points.

The second target was Oracle VirtualBox in the virtualization category, in which they exploit integer underflow and a race condition to escape Virtual machine and they earned another $35,000  with 3 Master of Pwn points

“Third target was VMware and they leveraging a race condition leading to an out-of-bounds write in the VMware client to execute their code on the host OS”

In this case, Fluoroacetate rewarded another $70,000 and 7 more Master of Pwn points and they closed their day was closed.

Another Researcher anhdaden targeting Oracle VirtualBox in the virtualization category and he submitted integer underflow zero day exploit in Oracle VirtualBox.

In his first Pwn2Own, he earns himself $35,000 USD and 3 Master of Pwn point.

Next team Phoenhex & qwerty (@_niklasb @qwertyoruiopz @bkth_)
targeting Apple Safari and day 1 ends with a partial win $45,000 and 4 points towards Master of Pwn.

So totally $240, 000 USD rewarded in the first day alone. Stay Tuned, we keep updates the remaining 2 days results with the complete details.

Also, you can take this online Course Bundle to learn Mastery Web Hacking & Bug Bounty

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Related Read

Crowdfense Announced to Pay $3 Million Bug Bounty for iOS & Android Zero-day Exploits

Researcher Awarded $10,000 for Disclosing Critical XSS Vulnerability in Yahoo Mail


Latest articles

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles