ALPS blog

by Trend Micro

For the second time, the renowned three-day hacking competition Pwn2Own 2021 was held online on the web. Trend Micro’s Zero Day Initiative (ZDI) livestreamed the hacking attempts via YouTube, Twitch and the conference site. With 23 different attempts, it was to be the biggest event in the history of the competition so far. Ten different products in the categories Web Browser, Virtualisation, Server, Local Escalation of Privilege and as a new category Enterprise Communication were available for the competition. Specifically, the hacking attempts focused on Safari, Chrome, Edge, Windows 10, Ubuntu, Microsoft Teams, Zoom, Parallels, Oracle VirtualBox and Microsoft Exchange.

In total, the organisers gave away $1.2 million in prize money for successful intrusion attempts. Over the three days, hackers succeeded in hacking all products except Virtual Box.

The highest prize money of $200,000 was awarded to Daan Keuper and Thijs Alkemade of Computest for the zero-click hack of Zoom and a participant named OV who demonstrated code execution on Microsoft Teams. Also receiving the same amount was the DEVCORE team in the server category, who were able to take over Microsoft Exchange via bypassing authentication and a local privilege escalation.

These three participant teams also received the highest score, 20, and were crowned “Master of Pwn”.

 

All systems made available were at the current patch level. After disclosure of the successful hacks, the manufacturers will now be informed and have 90 days to close the gaps found.