Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference, beginning in 2007. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited, a cash prize, and a "Masters" jacket celebrating the year of their win. The name "Pwn2Own" is derived from the fact that contestants must "pwn" or hack the device in order to "own" or win it. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.
The first contest was conceived and developed by Dragos Ruiu in response to his frustration with Apple's lack of response to the Month of Apple Bugs and the Month of Kernel Bugs, as well as Apple's television commercials that trivialized the security built into the competing Windows operating system. At the time, there was a widespread belief that, despite these public displays of vulnerabilities in Apple products, OS X was significantly more secure than any other competitors.
On March 20, roughly three weeks before CanSecWest that year, Ruiu announced the Pwn2Own contest to security researchers on the DailyDave mailing list. The contest was to include two MacBook Pros that he would leave on the conference floor hooked up to their own wireless access point. Any conference attendee that could connect to this wireless access point and exploit one of the devices would be able to leave the conference with that laptop. There was no monetary reward. Ruiu further outlined that there would be progressively loosened restrictions on what hacks were acceptable over the three days of the conference.
On the first day of the conference, Ruiu asked Terri Forslof of the Zero Day Initiative (ZDI) to participate in the contest. ZDI has a programme which purchases zero-day attacks, reports them to the affected vendor and turns them into signatures for their own network intrusion detection system, increasing its effectiveness. The vulnerabilities sold to ZDI are made public only after the affected vendor has issued a patch for it. Forslof agreed to have ZDI offer to purchase any vulnerabilities used in the contest for a flat price of $10,000.
Summary of successful exploits
The first contest was intended to highlight the insecurity of Apple's Mac OS X operating system since, at the time, there was a widespread belief that OS X was far more secure than its competitors. The contest took place from Thursday, April 18 to Saturday, April 20, 2007.
Two MacBook Pro laptops, one 13" and one 15", were left on the conference floor at CanSecWest and joined to a separate wireless network. Only certain attacks were allowed and these restrictions were progressively loosened over the three days of the conference.
- Day 1: Remote attacks only. Contestants must join the wireless network and perform their attacks without user interaction.
- Day 2: Browser attacks included. Contestants could send a link to the contest e-mail address, which an organizer would click on from one of the contest laptops.
- Day 3: Local attacks included. Contestants could insert a USB stick or attempt to communicate with the contest laptops over Bluetooth.
In order to win the 15" MacBook Pro, contestants would be required to further escalate their privileges to root after gaining access with their initial exploit.
After the $10,000 prize was announced by ZDI and the laptops were not hacked on the first day, Shane Macaulay called up former co-worker Dino Dai Zovi in New York and urged him to compete in the second day. Starting on Thursday night, Dai Zovi found and exploited a previously unknown vulnerability in a QuickTime library loaded by Safari by 3am that night. The following morning, Dai Zovi packaged up his exploit code and sent it to Macaulay at the conference in Vancouver. Macaulay placed Dai Zovi's exploit code on a website and e-mailed the contest organizers a link to it. When clicked on the contest laptop, Dai Zovi's exploit code allowed Shane to take control of the laptop, winning the contest by proxy for Dai Zovi. As a thank you for helping him win the contest, Dai Zovi let Macaulay keep the 15" MacBook Pro. Dai Zovi separately sold the vulnerability to ZDI for the $10,000 prize.
After the successful 2007 contest, the scope of the Pwn2Own contest was expanded to include a wider array of operating systems and browsers. The contest would demonstrate the widespread insecurity of all software in widespread use by consumers. Dragos refined the contest with the help of a wide panel of industry experts and the contest was administered by ZDI, who would again offer to purchase the vulnerabilities after their demonstration. As with all the vulnerabilities that ZDI purchases, the details of the vulnerabilities used in Pwn2Own would be provided to the affected vendors and public details would be withheld until a patch was made available. All contestants who successfully demonstrated exploits at the contest could sell their vulnerabilities to ZDI for prizes of $20,000 on the first day, $10,000 on the second day, and $5,000 on the third day. Pwn2Own 2008 took place from Thursday, March 26 to Saturday, March 28, 2008.
In the 2008 contest, there were three different target laptops each running the default installation of either Windows Vista Ultimate SP1, OS X 10.5.2, and Ubuntu Linux 7.10. As in the previous year's contest, Pwn2Own took place over the course of three days and only certain attacks were allowed on each day.
- Day 1: Remote attacks only. Contestants must join the same network as the target laptop and perform their attack without user interaction and without authentication.
- Day 2: Browser and Instant messaging attacks included. Contestants could send a link to the contest e-mail address, which an organizer would click on from one of the contest laptops. The organizers would also sign into and receive IMs from the default, vendor-supplied IM client.
- Day 3: Third-party client applications included. Contestants could target popular third-party software, such as Adobe Reader and Flash, Sun Java, and Microsoft Silverlight.
The laptop running OS X was exploited on the second day of the contest with an exploit for the Safari browser co-written by Charlie Miller, Jake Honoroff and Mark Daniel of Independent Security Evaluators. Their exploit targeted an open-source subcomponent of the Safari browser.
The laptop running Windows Vista SP1 was exploited on the third day of the contest with an exploit for Adobe Flash co-written by Shane Macaulay, Alexander Sotirov, and Derek Callaway. After the contest, Adobe disclosed that they had co-discovered the same vulnerability internally and had been working on a patch at the time of Pwn2Own.
The laptop running Ubuntu was not exploited.
After having considerably more success targeting web browsers than any other category of software, the third Pwn2Own focused on popular browsers used on consumer desktop operating systems. It added another category of mobile devices which contestants were challenged to hack via many remote attack vectors including email, SMS messages, and website browsing. Pwn2Own 2009 took place over the three days of CanSecWest from Thursday, March 18 to Saturday, March 20, 2009. All contestants who demonstrated successful exploits at the contest were offered rewards for the underlying vulnerabilities by ZDI, $5,000 for browser exploits and $10,000 for mobile exploits.
Web browser rules
The browser targets were Internet Explorer 8, Firefox, and Chrome installed on a Sony Vaio running Windows 7 Beta and Safari and Firefox installed on a MacBook running Mac OS X. All browsers were fully patched and in default configurations on the first day of the contest. As in previous years, the attack surface contest expanded over the three days.
- Day 1: Contestants must target functionality in the default browser without access to any plugins.
- Day 2: Adobe Flash, Sun Java, Microsoft .NET Framework, and Apple QuickTime were included.
- Day 3: Other popular third party plugins were included, like Adobe Reader.
Multiple winners per target were allowed, but only the first contestant to exploit each laptop would get it.
Mobile device rules
- BlackBerry: Unknown
- Android: T-Mobile G1
- iPhone: Apple iPhone 2.0
- Symbian: Nokia N95
- Windows Mobile: HTC Touch
- Day 1: Device can receive SMS, MMS, and e-mail but messages will not be read. Wifi (if on by default), Bluetooth (if on by default), and radio stack were also in-scope.
- Day 2: SMS, MMS, and e-mail will be opened and read. Wifi turned on. Bluetooth turned on and paired with a nearby headset (additional pairing disallowed).
- Day 3: One level of user interaction with the default applications.
In order to prove that they were able to successfully compromise the device, contestants had to demonstrate they could collect sensitive data from the mobile device or incur some type of financial loss from the mobile device owner.
Multiple winners per device were allowed, but only the first contestant to exploit each mobile device would get it (along with a one-year phone contract).
The first contestant to be selected was Charlie Miller. He exploited Safari on OS X without the aid of any browser plugins. In interviews after winning the contest, Miller stressed that while it only took him minutes to run his exploit against Safari it took him many days to research and develop the exploit he used.
A researcher identified only as Nils was selected to go after Miller. Nils successfully ran an exploit against Internet Explorer 8 on Windows 7 Beta. In writing this exploit, Nils had to bypass anti-exploitation mitigations that Microsoft had implemented in Internet Explorer 8 and Windows 7, including Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR).
Near the end of the first day, Julien Tinnes and Sami Koivu (remote) successfully exploited Firefox and Safari on OS X with a vulnerability in Java. At the time, OS X had Java enabled by default which allowed for reliable exploitation against that platform. However, due to having reported the vulnerabilities to the vendor already, Tinnes' participation fell outside the rules of the contest and was unable to be rewarded.
The competition started at March 24, 2010 and had a total cash prize pool of US$100,000. On March 15—nine days before the contest was to begin—Apple released sixteen patches for WebKit and Safari.
Software to exploit
- Microsoft Internet Explorer 8 on Windows Vista
- Mozilla Firefox 3 on Windows Vista
- Google Chrome 4 on Windows Vista
- Apple Safari 4 on Mac OS X Snow Leopard
- Microsoft Internet Explorer 8 on Windows XP
- Mozilla Firefox 3 on Windows XP
- Google Chrome 4 on Windows XP
- Apple Safari 4 on Mac OS X Snow Leopard
Target: Mobile Phones
- Charlie Miller successfully hacked Safari 4 on Mac OS X.
- Peter Vreugdenhil exploited Internet Explorer 8 on Windows 7 by using two vulnerabilities that involved bypassing ASLR and evading DEP.
- Nils hacked Firefox 3.6 on Windows 7 64-bit by using a memory corruption vulnerability and bypass ASLR and DEP. Mozilla patched the security flaw in Firefox 3.6.3.
- Ralf-Philipp Weinmann and Vincenzo Iozzo hacked the iPhone 3GS by bypassing the digital code signatures used on the iPhone to verify that the code in memory is from Apple.
The Opera web browser was left out of the contests as a target: The ZDI team argued that Opera had a low market share and that Chrome and Safari are only included "due to their default presence on various mobile platforms". However, Opera's rendering engine, Presto, is present on millions of mobile platforms.
The web browser targets for the 2011 contest included Microsoft Internet Explorer, Apple Safari, Mozilla Firefox, and Google Chrome. New to the Pwn2Own contest was the fact that a new attack surface was allowed for penetrating mobile phones, specifically over cellphone basebands. The mobile phone targets were Dell Venue Pro running Windows Phone 7, iPhone 4 running iOS, BlackBerry Torch 9800 running BlackBerry OS 6.0, and Nexus S running Android 2.3.
The following teams registered for the desktop browser contest:
- Apple Safari: VUPEN, Anon_07, Team Anon, Charlie Miller
- Mozilla Firefox: Sam Thomas, Anonymous_1
- Microsoft Internet Explorer: Stephen Fewer, VUPEN, Sam Thomas, Ahmed M Sleet
- Google Chrome: Moatz Khader, Team Anon, Ahmed M Sleet
For the mobile browser category, the following teams registered:
- Apple iPhone: Anon_07, Dion Blazakis and Charlie Miller, Team Anon, Anonymous_1, Ahmed M Sleet
- RIM Blackberry: Anonymous_1, Team Anon, Ahmed M Sleet
- Samsung Nexus S: Jon Oberheide, Anonymous_1, Anon_07, Team Anonymous
- Dell Venue Pro: George Hotz, Team Anonymous, Anonymous_1, Ahmed M Sleet
During the first day of the competition Safari and Internet Explorer were defeated by researchers.
Safari was version 5.0.3 installed on a fully patched Mac OS X 10.6.6. French security firm VUPEN was first to attack the browser, and five seconds after the browser visited its specially crafted malicious web page, it had both launched a standard harmless payload (to demonstrate that arbitrary code had been executed) and written a file to the hard disk (to demonstrate that the sandbox had been bypassed).
Internet Explorer was a 32-bit version 8 installed on 64-bit Windows 7 Service Pack 1. Security researcher Stephen Fewer of Harmony Security was successful in exploiting IE. This was demonstrated Just as with Safari.
In day 2 the iPhone 4 and Blackberry Touch 9800 were both exploited.
The iPhone was running iOS 4.2.1, however the flaw exists in version 4.3 of the iOS. Security researchers Charlie Miller and Dion Blazakis were able to gain access to the iPhone's address book through a vulnerability in Mobile Safari by visiting their exploit ridden webpage.
The Blackberry Torch 9800 phone was running BlackBerry OS 18.104.22.168. The team of Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann took advantage of a vulnerability in the Blackberry's WebKit based web browser by visiting their previously prepared webpage.
Firefox, Android, and Windows Phone 7 were scheduled to be tested during day 2, but the security researchers that had been chosen for these platforms did not attempt any exploits. Sam Thomas had been selected to test Firefox, but he withdrew stating that his exploit was not stable. The researchers that had been chosen to test Android and Windows Phone 7 did not show up.
No teams showed up for day three. Chrome and Firefox were not hacked.
At Pwn2Own, Chrome was successfully exploited for the first time. VUPEN declined to reveal how they escaped the sandbox, saying they would sell the information. Internet Explorer 9 on Windows 7 was successfully exploited next. Firefox was the third browser to be hacked using a zero day exploit.
Safari on Mac OS X Lion was the only browser left standing at the conclusion of the zero day portion of pwn2own. Versions of Safari that were not fully patched and running on Mac OS X Snow Leopard were compromised during the CVE portion of pwn2own. It should be noted that significant improvements in the security mitigations within Mac OS X were introduced in Lion.
Controversy with Google
Google withdrew from sponsorship of the event because the 2012 rules did not require full disclosure of exploits from winners, specifically exploits to break out of a sandboxed environment and demonstrated exploits that did not "win". Pwn2Own defended the decision, saying that it believed that no hackers would attempt to exploit Chrome if their methods had to be disclosed. Google offered a separate "Pwnium" contest that offered up to $60,000 for Chrome-specific exploits. Non-Chrome vulnerabilities used were guaranteed to be immediately reported to the appropriate vendor. Sergey Glazunov and a teenager identified as "PinkiePie" each earned $60,000 for exploits that bypassed the security sandbox. Google issued a fix to Chrome users in less than 24 hours after the Pwnium exploits were demonstrated.
Google returned as a sponsor and the rules were changed to require full disclosure of exploits and techniques used. Web browsers Google Chrome, Internet Explorer and Firefox, along with Windows 8 and Java, were exploited.
French security firm VUPEN has successfully exploited a fully updated Internet Explorer 10 on Microsoft Surface Pro running a 64-bit version of Windows 8 and fully bypassed Protected Mode sandbox without crashing or freezing the browser. The VUPEN team then exploited Mozilla Firefox, Adobe Flash, and Oracle Java .
Nils and Jon from MWRLabs were successful at exploiting Google Chrome using WebKit and Windows kernel flaws to bypass Chrome sandbox and won $100,000.
George Hotz exploited Adobe Acrobat Reader and escaped the sandbox to win $70,000. James Forshaw, Joshua Drake, and Ben Murphy independently exploited Oracle Java to win $20,000 each.
Apple Safari on Mountain Lion was not targeted as no teams showed up.
Mobile Pwn2Own 2013
The Mobile Pwn2Own 2013 contest was held November 13–14, 2013, during the PacSec 2013 Conference in Tokyo, Japan.
At Pwn2Own 2014, VUPEN successfully exploited fully updated Internet Explorer 11, Adobe Reader XI, Google Chrome, Adobe Flash, and Mozilla Firefox on a 64-bit version of Windows 8.1, to win a total of $400,000—the highest payout to a single competitor to date. The company used a total of 11 distinct zero-day vulnerabilities.
Nico Joly of the VUPEN team—was the sole competitor to take on Windows Phone (the Lumia 1520) this year, entering with an exploit aimed at IE 11 mobile. He was successfully able to exfiltrate the cookie database; however, the sandbox held and he was unable to gain full control of the system.
Internet Explorer 11 on Windows 8.1 was successfully exploited by Sebastian Apelt and Andreas Schmidt for a prize of $100,000.
Mozilla Firefox was exploited by Jüri Aedla, Mariusz Młyński, and George Hotz each independently, winning $50,000 each.
An anonymous participant exploited Google Chrome; however, upon review contest judges declared this a partial win due to one portion of the presentation’s collision with a vulnerability exploited earlier in the week in the Pwnium competition.
In 2016, Chrome, Microsoft Edge and Safari were all hacked. Firefox did not even participate as it was considered too easy to hack.
In 2018, the conference was much smaller and sponsored primarily by Microsoft. Shortly before the conference, Microsoft had patched several vulnerabilities in Edge, causing many teams to withdraw. Nevertheless, certain openings were found in Edge, Safari, Firefox and more. It does not appear that Chrome participated. While many Microsoft products had large rewards available to anyone who was able to gain access through them, only Edge was successfully exploited.
- Ruiu, Dragos (March 20, 2007). "PWN to OWN (was Re: How Apple orchestrated web attack on researchers)". Retrieved April 1, 2012.
- Naraine, Ryan (February 1, 2007). "Mac Developer mulling OS X equivalent of ZERT". Retrieved April 1, 2012.
- Orchant, Marc (February 6, 2007). "Cancel or Allow? Good poke at Vista UAC". Retrieved April 1, 2012.
- Naraine, Ryan (March 26, 2007). "How long can a Mac survive the hacker jungle?". Archived from the original on January 25, 2013. Retrieved April 1, 2012.
- "About the Zero Day Initiative". Retrieved April 1, 2012.
- Forslof, Terri (May 3, 2007). "Apple issues patch for QuickTime flaw". Retrieved April 1, 2012.
- "Pwn2Own 2015: The year every web browser went down | ZDNet". ZDNet. Retrieved 2015-11-25.
- Goodin, Dan (20 April 2007). "Safari zero-day exploit nets $10,000 prize". Vancouver: The Register. Retrieved 10 April 2010.
- "Apple QTJava toQTPointer() Pointer Arithmetic Memory Overwrite Vulnerability". Retrieved 31 March 2012.
- Naraine, Ryan (April 23, 2007). "10 questions for MacBook hacker Dino Dai Zovi". ZDNet. Retrieved 16 November 2010.
- Vaas, Lisa (April 20, 2007). "Mac Hacked Via Safari Browser in Pwn-2-Own Contest". eWeek. Retrieved March 10, 2011.
- Forslof, Terri (March 19, 2008). "CanSecWest PWN to OWN 2008 (updated)". Retrieved April 1, 2012.
- Ruiu, Dragos (March 20, 2008). "CanSecWest 2008 PWN2OWN - Mar 26-28". Retrieved April 1, 2012.
- "Apple Safari WebKit PCRE Handling Integer Overflow Vulnerability". April 16, 2008. Retrieved April 1, 2012.
- "PWN to OWN Day Two: First Winner Emerges! (updated)". March 27, 2008. Retrieved April 1, 2012.
- "Adobe Flash Player DeclareFunction2 Invalid Object Use Vulnerability". April 8, 2008. Retrieved April 1, 2012.
- "PWN to OWN: Final Day (and another winner!)". March 28, 2008. Retrieved April 1, 2012.
- Kebbel-Wyen, John (April 4, 2008). "Adobe Product Security Incident Response Team (PSIRT) Blog / CanSecWest 2008 Pwn2Own Contest". Retrieved April 1, 2012.
- Forslof, Terri (25 Feb 2009). "Pwn2Own 2009". Digital Vaccine Laboratories. TippingPoint. Retrieved 11 April 2010.
- Ruiu, Dragos (February 15, 2009). "CanSecWest 2009 Speakers and Dojo courses (Mar 14-20)". Retrieved April 1, 2012.
- Ruiu, Dragos (March 18, 2009). "PWN2OWN Final Rules". Archived from the original on April 4, 2012. Retrieved April 1, 2012.
- "Apple OS X ATSServer Compact Font Format Parsing Memory Corruption Vulnerability". May 13, 2009. Retrieved April 1, 2012.
- Foresman, Chris (March 27, 2009). "Pwn2Own winner says Macs are more safe, though less secure". Ars Technica. Retrieved 11 April 2010.
- Forslof, Terri (March 18, 2009). "Pwn2Own 2009 Day 1 - Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits". Retrieved April 1, 2009.
- "Microsoft Internet Explorer 8 Rows Property Dangling Pointer Code Execution Vulnerability". June 10, 2009. Retrieved April 1, 2012.
- "Apple Safari Malformed SVGList Parsing Code Execution Vulnerability". May 13, 2009. Retrieved April 1, 2012.
- "Mozilla Firefox XUL _moveToEdgeShift() Memory Corruption Vulnerability". March 30, 2009. Retrieved April 1, 2012.
- Tinnes, Julien. "Write once, own everyone, Java deserialization issues". Retrieved 8 September 2013.
- Forslof, Terri (March 21, 2009). "Pwn2Own Wrap Up". Retrieved April 1, 2012.
- Portnoy, Aaron (15 Feb 2010). "Pwn2Own 2010". TippingPoint. Retrieved 10 April 2010.
- "About the security content of Safari 4.0.5". Apple Inc. 15 March 2010. Retrieved 4 May 2010.
- Mills, Elinor (March 24, 2010). "iPhone, Safari, IE 8, Firefox hacked in CanSecWest contest". CNet. Retrieved 10 April 2010.
- "Mozilla Foundation Security Advisory 2010-25 - Re-use of freed object due to scope confusion". Mozilla. April 1, 2010. Retrieved 10 April 2010.
- "Opera Mini reaches important milestone — Crosses 50 million active users". Opera Software ASA. February 12, 2010. Retrieved 23 July 2011.
- "One browser. 3000 phones". Opera Software ASA. July 8, 2010. Retrieved 23 July 2011.
- "One hundred million". Opera Software ASA. February 10, 2011. Retrieved 23 July 2011.
- "Opera reaches (another) 100 million users". Opera Software ASA. April 7, 2011. Retrieved 23 July 2011.
- Announcing Pwn2Own 2011, TippingPoint Digital Vaccine Laboratories Blog
- "pwn2own day one: Safari, IE8 fall, Chrome unchallenged".
- "Pwn2Own day 2: iPhone, BlackBerry beaten; Chrome, Firefox no-shows".
- "Zero Day Initiative". Archived from the original on 2012-03-01.
- Ryan Naraine, Charlie Miller skipping Pwn2Own as new rules change hacking game, ZDnet, March 7, 2012
- Pwn2Own 2012: Google Chrome browser sandbox first to fall, ZDnet, March 7, 2012
- IE 9, on most secure Windows yet, next browser to fall at hacker contest, Ars Technica, March 8, 2012
- Researchers hack into newest Firefox with zero-day flaw, ZDnet, March 9, 2012 Archived March 13, 2012, at the Wayback Machine.
- PWN2OWN 2012 rules Archived March 1, 2012, at the Wayback Machine.
- PWN2OWN 2012 status Archived June 26, 2012, at the Wayback Machine.
- Ryan Naraine, CanSecWest Pwnium: Google Chrome hacked with sandbox bypass, ZDnet, March 7, 2012
- "At hacking contest, Google Chrome falls to third zero-day attack (Updated)".
- "After the pwnage: Critical Google Chrome hole plugged in 24 hours".
- Show off Your Security Skills: Pwn2Own and Pwnium 3, The Chromium Blog, January 28, 2013
- "Chrome; Firefox; IE 10; Java; Win 8 fall at #pwn2own hackfest".
- 02:04, 8 Mar 2013 at; tweet_btn(), Iain Thomson. "Pwn2Own: IE10, Firefox, Chrome, Reader, Java hacks land $500k".
- "Pwn2Own 2013". 2 March 2013.
- Chrome for Android Update, 14 Nov 2013
- "Archived copy". Archived from the original on 2014-03-16. Retrieved 2014-03-15.
- "Archived copy". Archived from the original on 2014-03-17. Retrieved 2014-03-15.
- "Archived copy". Archived from the original on 2015-04-02. Retrieved 2014-03-15.
- "Windows Phone security sandbox survives Pwn2Own unscathed".
- "Listy Things". Archived from the original on 2016-03-20.
- "Every browser goes down".
- "Chrome, Edge, and Safari all hacked".
- "Pwn2Own2017: Chrome the winner".
- "Hackers Awarded $267,000 at Pwn2Own 2018".