Pwn2Own 2013

Update - 3/7/13 11:45am

One of our pre-registered contestants, Ben Murphy, will be attempting Java via proxy at 2pm.

 

Update - 3/6/13 11:30am 

 

ANNOUNCEMENT

ZDI will be awarding full prize money for all successful vulnerabilities and exploits from pre-registered contestants, including multiple prizes per category.

 

Contestants

 

Tentative Schedule - Subject to change

Wednesday:

1:30 - Java (James Forshaw) PWNED

2:30 - Java (Joshua Drake) PWNED

3:30 - IE 10 (VUPEN Security) PWNED

4:30 - Chrome (Nils & Jon) PWNED

5:30 - Firefox (VUPEN Security) PWNED

5:31 - Java (VUPEN Security) PWNED

 

Thursday:

12pm - Flash (VUPEN Security) PWNED

1pm - Adobe Reader (George Hotz) PWNED

2pm - Java (Ben Murphy via proxy) PWNED

 

 

 

Overview

 

HP’s DVLabs Zero Day Initiative (ZDI) is expanding the focus of its annual Pwn2Own competition beyond vulnerabilities in the web browser this year. Over the last several years, we have seen browser plug-in vulnerabilities become increasingly popular in exploit kits and malware. These vulnerabilities affect a large percentage of the Internet community and are quickly weaponized by attackers. That being said, we are not forgetting about the browser as we will again be focusing on finding, demonstrating, and responsibly disclosing vulnerabilities in all the popular web browsers. We would also like to thank our friends at Google for stepping up to provide partial sponsorship for all targets in this year's competition.

 

Please direct all press inquiries for HP ZDI to: Cassy Lalan <hpesp@bm.com>

 

Contest Dates

 

The contest will take place the 6th, 7th, and 8th of March in Vancouver, British Columbia during the CanSecWest 2013 conference. This blog post will be updated as the contest plays out and get real-time updates by following either @thezdi or @Pwn2Own_Contest on Twitter or search for the hash tag #pwn2own.

 

Rules & Prizes

 

HP ZDI is offering more than half a million dollars (USD) in cash and prizes during the competition for vulnerabilities and exploitation techniques in the below categories. The first contestant to successfully compromise a selected target will win the prizes for the category.

 

  • Web Browser
    • Google Chrome on Windows 7 ($100,000)
    • Microsoft Internet Explorer, either
      • IE 10 on Windows 8 ($100,000), or
      • IE 9 on Windows 7 ($75,000)
    • Mozilla Firefox on Windows 7 ($60,000)
    • Apple Safari on OS X Mountain Lion ($65,000)
  • Web Browser Plug-ins using Internet Explorer 9 on Windows 7
    • Adobe Reader XI ($70,000)
    • Adobe Flash ($70,000)
    • Oracle Java ($20,000)

 

The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.

Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category.

 

Along with prize money, the contestant will receive the compromised laptop and 20,000 ZDI reward points* which immediately qualifies them for Silver standing.

 

*Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions over the next calendar year, 25% reward point bonus on all ZDI submissions over the next calendar year and paid travel and registration to attend the 2013 DEFCON Conference in Las Vegas.

 

Each contestant will be allowed to select the category they wish to compromise during the pre-registration process. During the contest, a contestant will have a 30-minute time slot in which to complete their attempt (not including time to set up possible network or device prerequisites). A successful attack against these targets must require little or no user interaction and must demonstrate code execution. The HP ZDI reserves the right to determine what constitutes a successful attack.

 

As always, vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept will become the property of HP in accordance with the HP ZDI program. If the affected vendors wish to coordinate an onsite transfer at the conference venue, HP ZDI is willing to accommodate that request.

Full contest rules can be found at http://dvlabs.tippingpoint.com/Pwn2OwnContestRules.html, and may be changed at any time without notice.

 

Registration

 

Contestants are asked to pre-register by contacting ZDI via e-mail at zdi@hp.com. This will allow us to ensure we have the necessary resources in place to facilitate the attack. If more than one contestant registers for a given category, the order of the contestants will be drawn at random.

 

 

 

 

                                                                             HP.png

 

                                                     Google.png

 

ITEC banner.jpg

Labels: HPSR| pwn2own| ZDI
Comments
VitaliyB | ‎03-08-2013 01:55 AM

This is what makes me want to become from a software developer to a security researcher, however, the whole purpose behind pointers confuses me.

_nika_ | ‎03-10-2013 05:14 AM

Did they forget about Opera?

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.