Pwn2Own 2021 has been the new edition of the hacking contest most important in the world. It is held annually and one more year has given great prizes since there is no software that has resisted.

The objective of the Pwn2Own 2019 remains the same established since its inception. Find critical vulnerabilities in a controlled environment so that vendors improve the security of your developments before they can be exploited. Participants agree to deliver the entire investigation privately and not make it public within a minimum period of 90 days.

In return, the firms give out succulent prizes. A good investment considering that this event has the participation of the best white-hat hackers on the planet and security researchers who anticipate what may come of cybercrime, reinforcing the security of software and devices.

Pwn2Own 2021

Today the contest is much more than an annual record on the state of web browsers and the security of operating systems as it was in its beginnings. This year’s event, held virtually and organized by the Zero Day Initiative (ZDI), has been one of the largest in the history of Pwn2Own, with 23 separate entries targeting 10 different products in the categories of web browsers, virtualization, servers, local escalation of privileges, automotive and a new category, that of business communications.

No targets have been missed and successful hacking attempts include Zoom into Apple Safari, Microsoft Exchange, Chrome and Edge, Teams, Parallels Desktop, Windows 10, and Ubuntu Desktop. This year’s event has awarded $ 1.2 million in prizes for 16 high-profile exploits.

Among the outstanding hacks we can point out:

Local privilege escalation to fully take over a Microsoft Exchange server, earning the Devcore team $ 200,000. Chaining together a couple of bugs to get code execution done in Microsoft Teams, a researcher received another $ 200,000. A 0-Day exploit against Zoom used a chain of three bugs to exploit the messaging application and get the code executed on the target system for $ 200,000. Exploiting an integer overflow flaw in Safari and out-of-bounds writing to get kernel-level code execution received a $ 100,000 prize. An exploit targeting the Chromium renderer managed to hack the Google Chrome and Microsoft Edge browsers based on it, priced at $ 100,000. Taking advantage of the integer overflow bugs in Windows 10, several researchers were able to scale from a normal user to administrative privileges for $ 40,000. Combining three failures (an uninitialized memory leak, a stack overflow, and an integer overflow), they hacked into the Parallels Desktop virtualizer to run code on the underlying operating system, earning $ 40,000. Taking advantage of a memory corruption error to successfully execute code on the host operating system from Parallels Desktop achieving the same amount as above. Exploiting an out-of-bounds access vulnerability resulted in a standard user gaining root privileges on Ubuntu Desktop and earning $ 30,000.

In addition to the above objectives, Tesla had proposed a Model 3 car, but no team has participated. The automotive category was released in 2019 and a researcher has already won a Tesla 3 by getting it hacked.

Highlight exploited Zoom vulnerabilities as do not require any interaction from the victim more than participating in a Zoom call. It affects the Windows and Mac versions of the app, although it’s unclear whether the Android and iOS versions are also vulnerable.

Like everything else and after vulnerabilities are exploited and disclosed in a controlled manner in Pwn2Own 2021, software and hardware vendors have 90 days to post security fixes of all reported vulnerabilities. We leave you the complete video of a very interesting conference for the technology industry.