Group of White hat hackers compromised Samsung Galaxy S9, iPhone X, Xiaomi Mi6 and earned $325,000 in Pwn2Own, two days Hacking completion in Tokyo 2018 organized by Trend Micro’s Zero Day Initiative (ZDI).
They discovered 18 Zero-day vulnerabilities in this event by various Team of White Hat hackers from different countries in this two days contest.
Researchers targeted various Phone models and successfully exploiting the vulnerabilities that exist in Samsung Galaxy S9, iPhone X, and the Xiaomi Mi6.
The First-day Hacking Completion
On the first day, the team Fluoroacetate successfully exploiting the Xiaomi Mi6 handset via NFC that was achieved using the touch-to-connect feature.
This vulnerability can be exploited by forcing users to open the web browser and navigate to their specially crafted webpage where the webpage exploited an Out-Of-Bounds write in web assembly to get code execution and they earned $30,000 USD along with 6 Pwn points.
On the same day, they returned and targeting the Samsung Galaxy S9 and successfully performed heap overflow in the baseband component to get code execution and earned another $50,000 USD with 15 Pwn points.
Fluoroacetate team returned 3rd time and targeting the iPhone X over Wi-Fi and successfully exploiting it using Pair of bugs ” a JIT vulnerability in the web browser followed by an Out-Of-Bounds write for the sandbox escape and escalation” and they earned $60,000 USD with 10P pwn points.
Finally, they earned $140,000 USD on the first day itself along with the Master of Pwn with 31 points and leader of the Pwn.
In another attempt made by MWR Labs Samsung Galaxy S9 and successfully exploit it over Wi-Fi using three different bugs.
According to ZDI press release, They forced the phone to a captive portal without user interaction, then used an unsafe redirect and an unsafe application load to install their custom application Although their first attempt failed, they nailed it on their second try to earn $30,000 USD and 6 more Master of Pwn points.
The Second-day Hacking Completion
Fluoroacetate duo team starts the second day of the event and again they target the iPhone x and fortunately they attempted the successful exploitation using by combining a JIT bug in the browser along with an Out-Of-Bounds Access to exfiltrate data from the phone.
This exploit leads an attacker to delete the picture from the victims iPhone X and they earned $50,000 and 8 more points.
MWR Labs team come back again in the second day and they target Xiaomi Mi6 handset where they exploit a combined bug that helps to install the silent app in Mi6 and load the custom app to exfiltrate pictures and earned $25,000 USD and 6 additional points.
According to ZDI in the second day, Fluoroacetate team successfully exploit five out of six successful demonstrations is pretty remarkable and we’re happy to announce the Fluoroacetate duo of Amat Cama and Richard Zhu have earned the title Master of Pwn!
Overall ZDI awarded $325,000 USD total over the two-day contest and they purchasing 18 0-day exploits.