Thursday, October 10, 2024
HomeBug BountyPwn2Own 2019 - Apple Safari, VirtualBox, VMware Hacked - Ethical Hackers...

Pwn2Own 2019 – Apple Safari, VirtualBox, VMware Hacked – Ethical Hackers Earned $240,000 by Submitting Zero-day’s

Published on

Trend Micro’s Zero Day Initiative (ZDI) vulnerability research contest
Pwn2Own 2019 Successfully started its first-day contest and the team of researchers earned $240,000 in the first day alone for the successful zero-day Submissions.

Trend Micro announced $1 million in cash and prizes through the contest for the researchers who submit the zero days the specific platform including virtualization platforms, enterprise applications, web browsers, and more.

List of Targets in Pwn2Own 2019

  • Automotive Category
    • Tesla Model 3
  • Virtualization Category
    • Oracle VirtualBox
    • VMware Workstation
    • VMware ESXi
    • Microsoft Hyper-V Client
  • Browser Category
    • Google Chrome
    • Microsoft Edge
    • Apple Safari
    • Mozilla Firefox
  • Enterprise Applications Category
    • Adobe Reader
    • Microsoft Office 365
    • Microsoft Outlook
  • Server-side Category
    • Microsoft Windows RDP

Last year, Overall ZDI awarded $325,000 USD total over the two-day contest and they purchasing 18 0-day exploits.

- Advertisement - EHA

This year’s contest, ZDI also introduced an automotive category, through a partnership with Tesla, as well as a continued partnership with Microsoft and sponsorship from VMware same as last year.

Unlike last year, this year Pwn2Own 2019 contest conducted for 3 days (20,21,22 March 2019) in which first and the second day opens for software vendors and all automotive entries will be on Day Three (March 22)

Pwn2Own 2019 – Day 1

On the very First day, a team called Fluoroacetate alone earned $160, 000 USD for the successful submission of 3 zero days.

Initially, they used a bug in JIT with a heap overflow to escape the sandbox in Safari browser and earned $55, 000 along with 5 Master of Pwn points.

The second target was Oracle VirtualBox in the virtualization category, in which they exploit integer underflow and a race condition to escape Virtual machine and they earned another $35,000  with 3 Master of Pwn points

“Third target was VMware and they leveraging a race condition leading to an out-of-bounds write in the VMware client to execute their code on the host OS”

In this case, Fluoroacetate rewarded another $70,000 and 7 more Master of Pwn points and they closed their day was closed.

Another Researcher anhdaden targeting Oracle VirtualBox in the virtualization category and he submitted integer underflow zero day exploit in Oracle VirtualBox.

In his first Pwn2Own, he earns himself $35,000 USD and 3 Master of Pwn point.

Next team Phoenhex & qwerty (@_niklasb @qwertyoruiopz @bkth_)
targeting Apple Safari and day 1 ends with a partial win $45,000 and 4 points towards Master of Pwn.

So totally $240, 000 USD rewarded in the first day alone. Stay Tuned, we keep updates the remaining 2 days results with the complete details.

Also, you can take this online Course Bundle to learn Mastery Web Hacking & Bug Bounty

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Related Read

Crowdfense Announced to Pay $3 Million Bug Bounty for iOS & Android Zero-day Exploits

Researcher Awarded $10,000 for Disclosing Critical XSS Vulnerability in Yahoo Mail

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Wireshark 4.4.1 Released, What’s new!

Wireshark, the world’s leading network protocol analyzer, has just released version 4.4.1, bringing a...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Wireshark 4.4.1 Released, What’s new!

Wireshark, the world’s leading network protocol analyzer, has just released version 4.4.1, bringing a...