Pwn2Own 2018 Expands Targets And Raises Prize Pool To $2M

For first time at Pwn2Own, researchers will take aim at Oracle’s VirtualBox, as well as the open-source Nginx web server in attempts to reveal zero-days

The annual Pwn2own hacking competition run by Trend Micro’s Zero Day Initiative (ZDI) is set to return for 2018, along with a longer list of targets and more money for security researchers, than ever before.

Pwn2own is a security researcher contest that typically has two events a year, with the primary event focused on browser and server technologies and a second event just for mobile technologies. The first event of 2018 is set for March 14-16 and will have five targets: virtualization, web browsers, enterprise applications, servers and a new Windows Insider Preview Challenge category.

At Pwn2Own, researchers attempt to demonstrate previously undisclosed zero-day vulnerabilities in software, with successful attempts being rewarded with cash prizes. For the 2018 event, ZDI has a total prize pool of $2 million.

Pwn2own fund

At the Pwn2Own 2017 event a total of 51 zero-day vulnerabilities were disclosed by security researchers, including flaws in VMware, Microsoft, Adobe, Apple and Ubuntu Linux technologies. In total, ZDI awarded researchers $823,000 in prize money for their efforts. 

The 2017 event was the first in which Linux technologies were specifically targeted and they’ll be back on the list for 2018. Among the 2018 targets is the open-source Apache web server running on an Ubuntu 17.10 Linux distribution. Apache is joined this year for the first time with the open-source Nginx web server as well. A successful exploit of either Apache or Nginx will yield a $100,000 award.

VMware was also a new target at the 2017 event and will be returning in 2018. VMware won’t be the only virtualization target though. Oracle’s VirtualBox technology and Microsoft’s Hyper-V client is also on the target list this time. Z

DI is offering a $35,000 prize for a successful exploit of VirtualBox. For those that are able to exploit VMware Workstation, the award rises to $70,000. The top prize for a virtualization exploit will be awarded for a Microsoft Hyper-V client attack will be worth $150,000.

VirtualBox and Nginx have been added to the target list because ZDI is interested in learning what bugs might be lurking on on those platforms, Dustin Childs, communications manager for ZDI, told eWEEK. In addition to the Pwn2Own event, ZDI operates a year-round program in which it buys security vulnerabilities from researchers.

“We’ve seen other VirtualBox bugs submitted to the program and want to see what types of research is being done on these products,” Childs said. 

Sponsorships for 2018 Pwn2own

Trend Micro is not footing the bill for all the awards this year as VMware and Microsoft are co-sponsoring the event.

“As a sponsor, VMware is subsidizing awards,” Childs said. “As a partner, Microsoft is subsidizing awards and offering their own bounty as part of the prize package too.”

Part of Microsoft’s participation in the Pwn2own 2018 event is a new program called the Windows Insider Preview Challenge. In that challenge, security researchers will take aim at pre-release Microsoft software. Microsoft will award researchers up to $250,000 for a successful exploit of the Windows Defend Application Guard for Edge, while a successful remote code execution exploit of the Windows SMB (Server Message Block) protocol will earn up to $100,000.

“The pre-release software is available through the Windows Insider program,” Childs said. “The Redstone 4 (RS4) of Windows 10 will be used.”

Browsers targets

The core of Pwn2own has long been the competition’s focus on web browers and 2018 will not be an exception with Google Chrome, Microsoft Edge, Apple Safari and Mozilla Firefox all on the target list.

The Apple Safari target also includes the macOS operating system. ZDI will award a researcher $55,000 for a successful exploit that enables a sandbox escape from the browser. Modern web browsers all have some form of sandboxing technology that is intended to secure processes within the browser and not enable attacks across a system. Once on a system and out of the sandbox, ZDI will award a $65,000 prize for a successful macOS privilege escalation attack that enables a research to execute code on the system.

The Pwn2own 2018 event is set to run March 14-16 at the CanSecWest 2018  conference held in Vancouver, Canada.

Originally published on eWeek