Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021

Cyber Security

The 2021 spring edition of Pwn2Own hacking contest concluded last week on April 8 with a three-way tie between Team Devcore, OV, and Computest researchers Daan Keuper and Thijs Alkemade.

A total of $1.2 million was awarded for 16 high-profile exploits over the course of the three-day virtual event organized by the Zero Day Initiative (ZDI).

Targets with successful attempts included Zoom, Apple Safari, Microsoft Exchange, Microsoft Teams, Parallels Desktop, Windows 10, and Ubuntu Desktop operating systems.

Some of the major highlights are as follows —

  • Using an authentication bypass and a local privilege escalation to completely take over a Microsoft Exchange server, for which the Devcore team netted $200,000
  • Chaining a pair of bugs to achieve code execution in Microsoft Teams, earning researcher OV $200,000
  • A zero-click exploit targeting Zoom that employed a three-bug chain to exploit the messenger app and gain code execution on the target system. ($200,000)
  • The exploitation of an integer overflow flaw in Safari and an out-of-bounds write to get kernel-level code execution ($100,000)
  • An exploit aimed at the Chrome renderer to hack Google Chrome and Microsoft Edge (Chromium) browsers ($100,000)
  • Leveraging use-after-free, race condition, and integer overflow bugs in Windows 10 to escalate from a regular user to SYSTEM privileges ($40,000 each)
  • Combining three flaws — an uninitialized memory leak, a stack overflow, and an integer overflow — to escape Parallels Desktop and execute code on the underlying operating system ($40,000)
  • Exploiting a memory corruption bug to successfully execute code on the host operating system from within Parallels Desktop ($40,000)
  • The exploitation of out-of-bounds access bug to elevate from a standard user to root on Ubuntu Desktop ($30,000)

The Zoom vulnerabilities exploited by Daan Keuper and Thijs Alkemade of Computest Security are particularly noteworthy because the flaws require no interaction of the victim other than being a participant on a Zoom call. What’s more, it affects both Windows and Mac versions of the app, although it’s not clear if Android and iOS versions are vulnerable as well.

Technical details of the flaws remain unclear as yet, and Zoom has a 90-day window to address the issues before they are made public. We have reached out to Zoom and we will update the story if we get a response.

In a statement sharing the findings, the Dutch security firm said the researchers “were then able to almost completely take over the system and perform actions such as turning on the camera, turning on the microphone, reading emails, checking the screen and downloading the browser history.”

Independent researcher Alisa Esage also made history as the first woman to win Pwn2Own after finding a bug in virtualization software Parallels. But she was only awarded a partial win for reasons that the issue had been reported to ZDI prior to the event.

“I can only accept it as a fact that my successful Pwn2Own participation attracted scrutiny to certain arguable and potentially outdated points in the contest rules,” Esage tweeted, adding, “In the real world there is no such thing as an ‘arguable point’. An exploit either breaks the target system or not.”