In the end, it was a nail-biter pitting Tencent Security Team Sniper (KeenLab and PC Manager) against JungHoon Lee (lokihardt) for the title of Master of Pwn for Pwn2Own 2016. After a tense last two minutes of the competition, it was Tencent Security Team Sniper and its successful code execution of a vulnerability in Microsoft’s Edge browser that earned it the title Master of Pwn for Pwn2Own 2016.
The challenge wrapped up Thursday with JungHoon Lee tied for second with 360Vulcan Team. Tencent Security Team Shield placed fourth. Each were vying for the hacker title Master of Pwn at Pwn2Own 2016, which concluded Thursday and was held in tandem with the CanSecWest security conference and hosted by Hewlett Packard Enterprise, Trend Micro, and the Zero Day Initiative.
Prize money of $460,000 and a total 98 Pwn points for Pwn2Own 2016 were awarded as follows:
Day two started out with two failed attempts to find and exploit vulnerabilities in Google Chrome browser by JungHoon Lee and Adobe Flash in system context by Tencent Security Team Sniper. It came down to the third and final attempt by both Tencent Security Team Sniper and JungHoon Lee.
Tencent Security Team Sniper was able to demonstrate a successful code execution attack against Safari to gain root privileges using a use-after-free vulnerability in Safari and an out-of-bounds vulnerability in Mac OS X.
Next up, JungHoon Lee successfully performed a code execution attack against Microsoft’s Edge browser in the system context using an uninitialized stack variable vulnerability in Edge and a directory traversal vulnerability in Microsoft Windows to get system-level privileges.
After two days of competition Tencent Security Team Sniper edged out JungHoon Lee with 13 more Pwn points and earning them the top Master of Pwn for Pwn2Own 2016 title.
In all teams at this year’s tournament found 21 new vulnerabilities in Microsoft Windows (6), Apple OS X (5), Adobe Flash (4), Apple Safari (3), Microsoft Edge (2) and one in Google Chrome (a duplicate of a previous, independently reported vulnerability).
Most notably, according to event organizers, was this year six new kernel vulnerabilities were uncovered. “Every successful attack achieved system or root privileges. This is a Pwn2Own first. It’s also a very worrying development,” wrote Christopher Budd, global threat communications for Trend Micro, in a blog post.
After two days of competition, coming out looking the best in terms of vendors was Google with only two out five attempted hacks successful (again, only previously reported vulnerabilities were exploited). Teams were only able to successfully hack Adobe Flash four out of five times. And Apple Safari was compromised three for three times and Microsoft Edge was two for two when it comes to successful attacks.