Hack VMware, score US$75K. Hack Flash, get much less

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Pwn2Own hackerfest names its targets and prizes for 2016

12 Feb 2016 at 05:02, Darren Pauli

CanSecWest There's US$75,000 up for grabs to hackers who compromise VMware's hypervisor software in an upgraded Pwn2Own contest next month.

The next challenge represents a significant boost to the difficulty of the hacking competition in which popular hardware and software products are publicly flayed by cyber-security gurus.


The Vancouver, Canada, event – to be held on March 16 this year – invites hackers to exploit zero-day vulnerabilities in widely used code, such as Apple's Safari browser, Google's Chrome browser, or Adobe Flash, and win tens of thousands of dollars in prizes for doing so.

Hewlett Packard Enterprise's vulnerability research manager Brian Gorenc (@maliciousinput) says the HP-run event will now include the option to pop VMware on Windows.

"Since its inception in 2007, Pwn2Own has increased the challenge level at each new competition, and this year is no different," Gorenc says.

"While the latest browsers from Google, Microsoft, and Apple are still targets, the Windows-based targets will be running on a VMware Workstation virtual machine [and] a US$75,000 bonus will be given to those who can escape the VMware virtual machine.

"This is our first year including VMware as a target, and we look forward to seeing what researchers will do with it."

The contest will be reworked so that winners are those with the highest overall points accrued through successful exploits. Those who escape Windows VMware (US$75,000) will grab the maximum 13 points, while hosing Chrome (US$65,000) or Microsoft Edge (US$65,000) will earn 10 points.

Adobe asset Flash in Edge (US$60,000) and OS-X Safari (US$40,000) attract eight and six points, while system escalation, root escalation, and target sandbox (US$20,000) escapes earn five, four, and three points respectively.

Contestants will need to consider how the Wassenaar Arrangement may affect them.

Hewlett Packard canned last year's MobilePwn2Own contest in December allegedly due to the Arrangment. The Japan hackerfest went ahead anyway and enjoyed success despite the fact that some hackers stayed home for fear of breaching the global disparate arms control system.

It is, however, generally said that Western nations do not intend to target white hat researchers. ®



It will be interesting to see if and how they manage to escape from VM....a pity that virtualbox is not "tested".
 
  • Like
Reactions: silversurfer

DaveM

Level 2
Verified
Feb 12, 2016
62
That isn't surprising. Flash is on its last gasp and sandbox environments are a great target.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top