Two researchers earned $200,000 on the second day of the Pwn2Own 2021 hacking competition for a Zoom exploit allowing remote code execution without user interaction.
The exploit, demonstrated by Daan Keuper and Thijs Alkemade from Computest, involves three vulnerabilities and it works on the latest versions of Windows 10 and Zoom. In the demo at Pwn2Own, the victim saw a meeting invitation from the attacker, but the victim didn’t actually have to click anything to trigger the code execution.
Also on the second day of Pwn2Own 2021, Bruno Keith and Niklas Baumstark of Dataflow Security earned $100,000 for an exploit that works both on the Chrome and Microsoft Edge web browsers.
If attempts to hack the Parallels virtualization product failed on the first day, on the second day, Jack Dates from RET2 Systems and Sunjoo Park (aka grigoritchy) earned $40,000 each for executing code on the underlying operating system through the Parallels Desktop application.
There were also two successful attempts to escalate privileges on Windows 10 and one successful privilege escalation exploit on Ubuntu. These earned participants $40,000 and $30,000, respectively.
Team Viettel attempted to hack Microsoft Exchange, but their exploit leveraged a vulnerability that was used earlier in the competition so their attempt counted as a partial win.
On the first day of Pwn2Own 2021, participants earned $570,000, including $440,000 for exploits targeting Microsoft products (Teams, Exchange and Windows). According to Trend Micro’s Zero Day Initiative (ZDI), which organizes the competition, it’s the first time more than one million dollars have been paid out in total at Pwn2Own, and there are still several more attempts scheduled for the last day of the event.
The hacking attempts scheduled for the third day of Pwn2Own will target Parallels, Exchange, Ubuntu, and Windows 10.