Big cash prizes on offer as Pwn2Own turns difficulty setting up to eleven

KeenTeam, one of the winning teams from last year's Pwn2Own (pic from Threatpost.com)
KeenTeam, one of the winning teams from last year's Pwn2Own (pic from Threatpost.com)

Pwn2Own is back at hacking conference CanSecWest next month with an upgraded top prize of $75,000 (£52,000) to anyone who can escape a VMware Workstation virtual machine and execute code on the host operating system.

The reworked Pwn2Own competition, to be held on 16 March, sees hackers exploit zero-day flaws in software such as Google's Chrome or Apple's Safari or security nightmare Adobe Flash.

In a blog post, HPE's vulnerability research manager Brian Gorenc said that since the start of the competition in 2007, it has increased the challenge level at each new competition.

“While the latest browsers from Google, Microsoft and Apple are still targets, the Windows-based targets will be running on a VMware Workstation virtual machine. A $75K bonus will be given to those who can escape the VMware virtual machine. This is our first year including VMware as a target, and we look forward to seeing what researchers will do with it,” he said.

CanSecWest, which is held in Vancouver, hosts the competition and this year a point-based system has been set up so that entrants can score points for each successful exploit. The contestant with the highest score will receive 65,000 ZDI reward points (estimated at $25,000).

Contestants escaping VMware workstation get 13 points (and $75,000). Exploit Chrome or Microsoft Edge and get 10 points each and bag $65,000. Adobe Flash gets eight points and $60,000, Safari gets six points and $40,000.

“For example, if someone has two successful entries (Google Chrome with a sandbox escape and Microsoft Edge with a SYSTEM escalation), the total points would be 28 points – and that's in addition to the prize money itself. If two or more contestants have the same number of points at the end of the contest, each researcher will receive the ZDI reward points, sharing the Master of Pwn title,” said Gorenc.

He warned contestants that a successful entry in the contest should leverage a vulnerability to modify the standard execution path of a program or process in order to allow the execution of arbitrary instructions.

“The entry is required to defeat the target's techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and application sandboxing. The resulting payload should be executing in an elevated context (for example, on Windows-based targets, Medium integrity level or higher),” he added.

Carl Herberger, vice president of security solutions at Radware, told SCMagazineUK.com that as data centres evolve to multi-tenanted, cloud hosted and highly virtualised, the next “holy grail' is to capture the hypervisor ‘flag'.

“Once the hypervisors are significantly compromised then the idea is to have freedom of movement ‘East/West' inside a data centre which is almost completely unmonitored and insecure,” he said.

He added that this infrastructure is already under assault today. “However, this should be taken as an indication that the focus of future attacks will centre on today's popular virtualised software packages.  At $75,000 – more than most new graduates make in a year – one should assume this arcane and opaque technical domain will fall victim next.”