PWN2OWN

The finals of the Pwn2Own ethical hacking battle are finally over with the last events conducted on 08th April. The results were divided among 50% complete success and the remaining 50% were partial wins. The event started in a great manner at 0900 in the morning when Benjamin McBride won $40000 for executing code on host OS from within Parallels desktop.

PWN2OWNImage: Zeroday Initiative

The next set of four events towards Microsoft Exchange, Ubuntu desktop, Windows 10, and Parallels Desktop were termed as a partial success because of all the methods used in these four events and the bug reported was already known by the respective organizations. There were no cash prizes awarded here but the winners were given points towards Master of PWN. The main highlight of these events was Alisa Esage, the first woman to participate as an independent researcher, and targeted Parallels Desktop in the Virtualization category.

researcherImage Courtesy: Twitter

The final three events towards Ubuntu Desktop, Parallels Desktop and Windows 10 desktop all resulted in success and were awarded cash prizes. Vincent Dehors claimed $30,000 to escalate to the root of the Ubuntu desktop through a double-free bug. The next prize of $40,000 was claimed by Da Lao who completed guest to host via OOB Write in Parallels Desktop. The final win of the day and the tournament was achieved by Marcin Wiazowski who won a whopping amount of $40,000 after using a UAF bug to gain System Access on a Windows 10 PC.

The entire event was sponsored by VMware and other partners included Adobe, Zoom, and Tesla. The vendors of the event have 90 days to produce a fix for the vulnerabilities reported. Here is a summary report of all three days in case you missed it.

Sn No

Date
Time
Event
Person/Team

Status

1

Apr 6, 2021
1000
Apple Safari
Jack Dates
Success

2
Apr 6, 2021
1130
Microsoft Exchange
DEVCORE

Success

3

Apr 6, 2021
1300
Microsoft Teams
OV
Success

4

Apr 6, 2021
1430
Windows 10
Viettel
Success

5
Apr 6, 2021
1530
Parallels Desktop
Star Labs

Failure

6
Apr 6, 2021
1630
Ubuntu Desktop
Ryota Shiga

Success

7

Apr 6, 2021
1730
Oracle Virtualbox
Star Labs
Failure

8
Apr 7, 2021
0900
Parallels Desktop
Jack Dates

Success

9

Apr 7, 2021
1000
Google Chrome & Microsoft Edge
Bruno Keith & Niklas BaumStark
Success

10

Apr 7, 2021
1130
Microsoft Exchange
Viettel
Partial

11
Apr 7, 2021
1300
Zoom Messenger
Daan Keuper & Thijs Alkemade

Success

12
Apr 7, 2021
1430
Windows 10
Tao Yan

Success

13

Apr 7, 2021
1530
Parallels Desktop
Sunjoo Park
Success

14
Apr 7, 2021
1630
Ubuntu Desktop
Manfred Paul

Success

15

Apr 7, 2021
1730
Windows 10
z3r09
Success

16
Apr 8, 2021
0900
Parallels Desktop
Benjamin McBride

Success

17

Apr 8, 2021
1000
Microsoft Exchange
Steven Seeley
Partial

18

Apr 8, 2021
1130
Ubuntu Desktop
Star Labs

Partial

19
Apr 8, 2021
1230
Windows 10
Fabien Perigaud

Partial

20

Apr 8, 2021
1330
Parallels Desktop
Alisa Esage
Partial

21
Apr 8, 2021
1430
Ubuntu Desktop
Vincent Dehors

Success

22

Apr 8, 2021
1530
Parallels Desktop
Da Lao
Success

23
Apr 8, 2021
1630
Windows 10
Marcin Wiazowski

Success

One glance at the table above would tell you that out of the 23 events scheduled, only 2 failed as the team was not able to complete the task in the allotted time and with 5 Partials, 16 events were a complete success. The 5 partial successes were so-called because the method or bug used was already known before the contest.

For complete results and more details, click here

results

The reason for concern here is if you count the actual total number of successes then it amounts to 21 out of 23 which amounts to 91% success (including partial wins). This brings a serious thought to our mind “Are the operating systems and software we use so vulnerable by hackers?” I leave you to think and ponder over this and please share your comments in the section below.

The post PWN2OWN 2021 Final Results: A Remarkable 90% Of Hacking Attempts Were Successful appeared first on We The Geek.

Read more: wethegeek.com

Leave a comment

Your email address will not be published.