Pwn2Own 2021 – Day 2: a security duo earned $200,000 for a zero-interaction Zoom exploit allowing remote code execution.

One of the most interesting working exploits of the second day of the Pwn2Own 2021 was demonstrated by security researchers Daan Keuper and Thijs Alkemade from Computest. The duo successfully targeted Zoom Messenger in the Enterprise Communications category, the white-hat hackers chained three bugs to get code execution on the target system without user interaction. The duo earned $200,000 and received 20 Master of Pwn points.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

The attack scenario sees the victim receiving a meeting invitation, but the bug chain is triggered even if the victim did not click anything.

The second highest payout of the day was assigned to the security researchers Bruno Keith and Niklas Baumstark of Dataflow Security who earned $100,000 for demonstrating an exploit for Chrome and Microsoft Edge web browsers.

“The team used a Typer Mismatch bug to exploit the Chrome renderer and Microsoft Edge. Same exploit for both browsers. They earn $100,000 total and 10 Master of Pwn points.” states the post published on the official site of the competition.

Jack Dates from RET2 Systems and Sunjoo Park (aka grigoritchy) exploited a logic bug to execute code on the underlying operating system through Parallels Desktop. The expert earned $40,000 and received 4 Master of Pwn points.

Manfred Paul earned $30,000 and 3 points towards Master of Pwn targeting Ubuntu Desktop, the hacker exploited an OOB Access bug to escalate to a root user on Ubuntu Desktop.

Day two ended with the success of a researcher that uses the moniker z3r09 targeting Windows 10. z3r09 exploited an integer overflow issue to escalate his permissions up to NT AuthoritySYSTEM. He earned $40,000 and 4 Master of Pwn points.

The only partial success of the day was the result of the attempt of Team Viettel targeting Microsoft Exchange in the Server category.

Team Viettel successfully demonstrated their exploit on the Exchange server, but some of the bugs chained by the team had been previously reported in the contest. Anyway the team received 7.5 Master of Pwn points.

On the first day of the competition, participants earned more than half a million dollars for demonstrating to five working exploits out of seven attempts.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own 2021)

The post Pwn2Own 2021 Day 2 – experts earned $200K for a zero-interaction Zoom exploit appeared first on Security Affairs.

By admin