Pwn2Own 2021 Hacked Windows, Ubuntu, Zoom, Safari, and MS Exchange

On 8th April, 2021 spring edition of the Pwn2Own hacking competition , Zoom, Apple Safari, Microsoft Exchange, Microsoft Teams, Parallels Desktop, Windows 10, and Ubuntu Desktop were among the targets that were successfully attacked. This competition ended in a three-way tie between Team Devcore, OV, and Computest researchers Daan Keuper and Thijs Alkemade.

During the three-day virtual event hosted by the Zero Day Initiative, a total of $1.2 million was awarded for 16 high-profile exploits (ZDI).

The following are some of the big highlights:

• The Devcore team earned $200,000 for completely taking over a Microsoft Exchange server using an authentication bypass and a local privilege escalation.

• A pair of bugs were chained together to achieve code execution in Microsoft Teams, winning researcher OV $200,000 in the process.

• A three-bug chain was used to exploit the Zoom messenger app and achieve code execution on the target device in this zero-click exploit. $200,000.00

• Exploiting a Safari integer overflow error and an out-of-bounds write to execute kernel-level code ($100,000)

• Hacking Google Chrome and Microsoft Edge (Chromium) browsers using a Chrome renderer vulnerability ($100,000)

• Using Windows 10's use-after-free, race state, and integer overflow bugs to elevate from a normal user to SYSTEM privileges ($40,000 each)

• Using three defects — an uninitialized memory leak, a stack overflow, and an integer overflow — to get around Parallels Desktop and run code on the underlying operating system ($40,000)

• Using a memory corruption flaw in Parallels Desktop to successfully execute code on the host operating system ($40,000)

• Exploiting an out-of-bounds access flaw on Ubuntu Desktop to elevate from a normal user to root ($30,000)

The Zoom flaws exploited by Computest Security's Daan Keuper and Thijs Alkemade are notable because they involve no input from the victim other than being a participant on a Zoom call. Furthermore, it affects both the Windows and Mac versions of the software, but it's unclear if the Android and iOS versions are still affected.

The researchers "were then able to nearly fully take over the device and perform acts such as turning on the camera, turning on the microphone, reading emails, reviewing the screen, and downloading the browser history," according to a statement released by the Dutch security firm.

When approached for comment, Zoom stated that it had pushed a server-side update to fix the bugs and that it is working on adding additional security features to address the security flaws. Before the problems are made public, the organization has a 90-day window to fix them.

"On April 9, we published a server-side update that defends against the Pwn2Own on Zoom Chat assault," a company spokesperson told The Hacker News. "Our users are not required to take any action as a result of this update. Additional mitigations are still being developed in order to completely resolve the underlying issues."

The company further stated that it is unaware of any proof of active exploitation of these flaws, noting that the flaws do not affect in-session chat in Zoom Meetings and that the "attack can only be conducted by an external contact that the target has already acknowledged or be a part of the target's same organizational account."

Alisa Esage, an independent researcher, became the first woman to win Pwn2Own after discovering a flaw in the virtualization platform Parallels. However, she was only given a partial victory because the problem had been identified to ZDI prior to the incident.

""In the real world, there is no such thing as a 'arguable point,'" Esage tweeted, adding, "I can only recognize it as a fact that my good Pwn2Own involvement drew attention to some arguable and potentially obsolete points in the contest rules." An exploit either breaks or doesn't break the target machine."