The first day of Pwn2Own 2015 paid out $317,500 to white-hat hackers at the annual event, which saw Adobe Flash, Reader, Internet Explorer and Mozilla Firefox all get pwned.
Adobe Flash saw two exploits: the first used a heap overflow remote code execution vulnerability, then leveraged a local privilege escalation in the Windows kernel through TrueType fonts, bypassing all defensive measures. The team of Zeguang Zhao (Team509), Peter, Jihui Lu and wushi (KeenTeam) saw a notable payout for the feat, netting $60,000 for the Flash bug itself and a bonus of $25,000 for the SYSTEM escalation.
Nicolas Joly took home $90,000 for a pair of exploits, for Flash and for Adobe Reader. The second Flash exploit of the day leveraged a use-after-free (UAF) remote-code execution vulnerability and a sandbox escape directory traversal vulnerability in the Flash broker, netting $30,000 for his efforts.
“While an excellent bug, the payout ended up lower due to the random drawing—only the first successful entrant in each category is awarded the full payout,” explained HP’s Dustin Childs, in a recap of the event.
Joly’s compromise of Adobe Reader was executed via a stack buffer overflow—once for an info leak and again for remote code execution. He then leveraged an integer overflow to exploit the broker, bringing in $60,000.
“Not bad for writing the final part of the exploit chain on the flight to the conference (according to him),” Childs said.
KeenTeam was then back, and worked with Jun Mao to take down Adobe Reader with an integer overflow, achieving pool corruption through a different TTF bug, which allowed SYSTEM access. The whole affair was worth $55,000: $30,000 for the Reader bug and another $25,000 bonus for the SYSTEM escalation.
Two browsers also saw smack-downs. Firefox fell to Mariusz Mlynski, who used a cross-origin vulnerability followed by privilege escalation within the browser. He then used a logical flaw to escalate to SYSTEM in Windows, earning him $30,000 for the Firefox bug and an additional $25,000 bonus for the privilege escalation.
And finally, the 360Vulcan Team exploited 64-bit Microsoft Internet Explorer 11 version with an uninitialized memory vulnerability, to execute a medium-integrity code execution. That earned $32,500.
Day 2 will focus on Apple Safari, Google Chrome and Internet Explorer as targets.