Gandalf_The_Grey

Level 55
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,449
Since its inception, our Fall Pwn2Own contest has focused on consumer devices – even as the contest itself has wandered around the world. It started in Amsterdam in 2012 with just mobile phones. The next year, the contest moved to Tokyo to be held concurrently with the PacSec Applied Security conference and, over the years, grew to include TVs, wearable, and smart speakers. Last year, the contest moved to Toronto and expanded again to include Network Attached Storage (NAS) devices. For 2021, we’re on the move again. This year, we’ll be hosting Pwn2Own for our headquarters in Austin, Texas on November 2-4, 2021. For this year’s event, we’re growing again to reflect the home-office environment many currently find themselves in by expanding the router category and implementing the printer category. In all, we’ll have 22 devices available as targets and be offering more than $500,000 USD in prize money.
Welcome to Pwn2Own Austin 2021! This year’s consumer-focused event is our largest ever with 58 total entries from 22 different contestants. As with all of our contests now, you can follow along live on YouTube and Twitch. With attempts going every 30 minutes, is should be an exciting few days.

As always, we started the contest with a random drawing to determine the order of attempts. You can view the results here. Our schedule is so packed, we’ve extended to contest to a fourth day. The complete schedule for the contest is below (all times Eastern [GMT -4:00]). We will update this schedule with results as they become available.
 
Last edited:

Gandalf_The_Grey

Level 55
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,449
Tuesday, November 2:
1000 - Sam Thomas (@_s_n_t) from team Pentest Limited (@pentestltd) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
SUCCESS - Sam used a three-bug chain that included an unsafe redirect and a command injection to get code execution on the Western Digital My Cloud Pro Series PR4100. This successful demonstration earns hime $40,000 and 4 Master of Pwn points.
1030 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the WAN interface of the Cisco RV340 in the router category
SUCCESS - Bien Pham leveraged a logic error to compromise the WAN interface of the Cisco RV340 router. He earns $30,000 and 3 Master of Pwn points.
1100 - The Synacktiv (@Synacktiv) team targeting the Canon ImageCLASS MF644Cdw in the printer category
SUCCESS - The Synacktiv team used a heap overflow to take over the Canon ImageCLASS printer and bring home the first Printer Category win in Pwn2Own history. They earn $20,000 and 2 points towards Master of Pwn.
1130 - trichimtrich and nyancat0131 targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi in the router category
SUCCESS - trichimtrich used an Out-Of-Bounds (OOB) Read to get a root shell via the LAN interface of the TP-Link AC1750 router. This earns him $5,000 and 1 point towards Master of Pwn.
1200 - The THEORI Team (@theori_io) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
SUCCESS - The THEORI team combined an OOB Read and a stack-based buffer overflow to take over the Western Digital My Cloud Pro Series PR4100 NAS device. They used a unique bug chain, so they earn the full $40,000 and 4 points towards Master of Pwn.
1230 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the Cisco RV340 in the router category
SUCCESS - Bien Phamfrom Team Orca of Sea Security used a three-bug chain, including an auth bypass and a command injection, to take over the LAN interface of the Cisco RV340. This effor earns him $15,000 and 2 more Master of Pwn points.
1300 - Ken Gannon (@yogehi) of F-Secure Labs (@fsecurelabs) targeting the Samsung Galaxy S21 in the Mobile Phone category
FAILURE - Unfortunately, Ken could not get his exploit to work within the time allotted.
1400 - Bugscale targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
COLLISION - The exploit chain used by Bugscale included known bugs. They still earn $20,000 and 2 Master of Pwn points.
1430 - Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH), and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence targeting the LAN interface of the Cisco RV340 in the router category
COLLISION - The exploit chain used by the CrowdStrike team included some known bugs. They still earn $10,000 and 1.5 Master of Pwn points.
1500 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Canon ImageCLASS MF644Cdw in the printer category
SUCCESS - The DEVCORE team used a stack-based buffer overflow to take over the Canon ImageCLASS printer. This unique bug chain earned them $20,000 and 2 Master of Pwn points.
1530 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category
SUCCESS - Bien Pham finishes Day 1 by using an OOB Read bug to take control of the TP-Link AC1750 router via the LAN interface. This earns him another $5,000 and 1 Master of Pwn point.
1630 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Sonos One Speaker in the home automation category
SUCCESS - The DEVCORE team used an integer underflow to gain code execution on the Sonos One Speaker. They earn $60,000 and 6 points towards Master of Pwn.
1700 - Gaurav Baruah (@_gauravb_) targeting the WAN interface of the Cisco RV340 in the router category
COLLISION - A partial collision. One of the bugs used by Gaurav was previously known. He still $22,500 and 2.5 Master of Pwn points.
1730 - The THEORI Team (@theori_io) targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category
SUCCESS - THe THEORI Team used a stack-based buffer overflow to get code execution on the 3TB My Cloud Home Personal Cloud from WD. This earns them $40,000 and 4 Master of Pwn points, giving them a 1 day total of $80,000 and 8 points.
1800 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the HP Color LaserJet Pro MFP M283fdw in the printer category
SUCCESS - The DEVCORE team used a stack-based buffer overflow to gain code execution on the HP Color LaserJet Pro. They earn another $20,000 and 2 Master of Pwn points, bringing their day 1 total to $100,000 and 10 Master of Pwn points.
Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.
— trichimtrich and nyancat0131 targeting the LAN interface of the NETGEAR R6700v3 in the router category
SUCCESS - trichimtrich leveraged an integer overflow to gain code execution via the LAN interface of the NETGEAR R6700v3 router. They win another $5,000 and 1 more point towards Master of Pwn.
— Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the WAN interface of the NETGEAR R6700v3 in the router category
FAILURE - Unfortunately, Team Flashback could not get their exploit to work within the time allotted.
— Bugscale targeting the LAN interface of the NETGEAR R6700v3 in the router category
SUCCESS - The Bugscale team combined an authorization bypass with a command injection bug to get code execution on the LAN interface of the NETGEAR router. They earn $5,000 and 1 Master of Pwn point.
— crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201, and friends from Mofoffensive Research Team targeting the LAN interface of the NETGEAR R6700v3 in the router category
SUCCESS - The Mofoffensive Research Team combining a heap overflow and a stack-based buffer overflow to gain code execution on the LAN interface of the NETGEAR R6700 router. Their efforts earn $5,000 and 1 Master of Pwn point.
The results are posted.
 
Last edited:

Gandalf_The_Grey

Level 55
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,449
Wednesday, November 3
1000 - NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
SUCCESS - The NCC Group leveraged a memory corruption bug three different ways (and overcame a timing issue) to get code execution on the Western Digital My Cloud Pro Series PR4100. They earn themselves $40,000 and 4 Master of Pwn points.
1030 - Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the WAN interface of the Cisco RV340 in the router category
SUCCESS - The Flashback team of Pedro and Redek used an impressive stack-based buffer overflow to get code execution on the WAN interface of the Cisco RV340 router. They earn $30,000 and 3 Master of Pwn points.
1100 - Nicolas Devillers (@nikaiw), Jean-Romain Garnier, and Raphael Rigo (@_trou_) targeting the Canon ImageCLASS MF644Cdw in the printer category
SUCCESS - The team of Nicolas Devillers, Jean-Romain Garnier, and Raphael Rigo obtained code execution on the Canon ImageCLASS printer through a stack-based buffer overflow. This unique bug chain earns them $20,000 and 2 Master of Pwn points.
1130 - crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201, and friends from Mofoffensive Research Team targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category
FAILURE - Unfortunately, the Mofoffensive Team could not get his exploit to work within the time allotted.
1200 - The Synacktiv (@Synacktiv) team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
SUCCESS - The Synacktiv team leveraged a configuration error bug to get code execution on the PR411. They earn $40,000 and 4 Master of Pwn points.
1230 - Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the LAN interface of the Cisco RV340 in the router category
SUCCESS - Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab used 3 unique bugs, incuding an authorization bypass and a commange injection, to get code execution on the Cisco RV340 via the LAN interface. They earn $15,000 and 2 Master of Pwn points.
1300 - The STARLabs Team targeting the Samsung Galaxy S21 in the mobile phone category
COLLISION - The exploit chain used by the STARLabs team included a bug known by the vendor. They still earn $25,000 and 2.5 Master of Pwn points.
1400 - The Synacktiv (@Synacktiv) team targeting the Sonos One Speaker in the home automation category
SUCCESS - The Synacktiv team used a stack-based buffer over to compromise the Sonos One speaker and play us a tune. They earn $60,000 and 6 Master of Pwn points.
1430 - trichimtrich and nyancat0131 targeting the WAN interface of the Cisco RV340 in the router category
SUCCESS - trichmitrich used nearly all the time on the clock, but his command injection bug is unique. His takeover of the Cisco RV340 via the WAN interface earns him $30,000 and 3 Master of Pwn points.
1500 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
COLLISION - The DEVCORE team successfully exploited the WD PR411, but the bugs they leveraged had been previously used in the competition. Their work still earns them $20,000 and 2 Master of Pwn points.
1530 - The STARLabs Team targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category
COLLISION - The STARLabs team exploited the LAN interface of the TP-Link AC1750 router, but they used a known bug. This still nets them $2,500 and .5 Master of Pwn points.
1600 - The Synacktiv (@Synacktiv) team targeting the Lexmark MC3224i in the printer category
SUCCESS - The Synacktiv team combined three unique bugs, including an unprivileged access bug and a command injection bug, to get code execution on the Lexmark MC3224i printer. They earn $20,000 and 2 more Master of Pwn points.
1700 - The STARLabs Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
COLLISION - The exploit chain used by Nguyễn Hoàng Thạch (hi_im_d4rkn3ss) of STARLabs team included bugs previously used in the contest. They still earn $20,000 and 2 Master of Pwn points.
1745 - The Synacktiv (@Synacktiv) team targeting the HP Color LaserJet Pro MFP M283fdw in the printer category
COLLISION - The exploit chain used by the Synacktiv team included a bug used earlier in the competition. They still earn $10,000 and 1 Master of Pwn point.
Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.
Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
FAILURE - Unfortunately, the IoT Inspector Research team could not get their exploit to work within the time allotted.
— The STARLabs Team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category
COLLISION - The exploit chain used by Nguyễn Hoàng Thạch (hi_im_d4rkn3ss) and Phan Thanh Duy (PTDuy) of STARLabs took over the 3TB My Cloud Home Personal Cloud from WD using a bug previously seen in the competition. They still earn $20,000 and 2 Master of Pwn points.
— Diffense Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
COLLISION - In their Pwn2Own debut, the Diffense Team runs into a collision. They were able to exploit the Western Digital My Cloud Pro Series PR4100, but the bug they leveraged was also used on Day 1. They still earn $20,000 and two Master of Pwn points in their debut effort.
— Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Lexmark MC3224i in the printer category
SUCCESS - The DEVCORE team used a code injection bug to take over the Lexmark MC3224i printer. This unique bug chain earned them $20,000 and 2 Master of Pwn points.
— NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) targeting the Lexmark MC3224i in the printer category in the printer category
SUCCESS - The NCC Group again needed multiple attempts, but they successfully exploited the Lexmark MC3224i with a file write bug. The earn $20,000 and 2 Master of Pwn points.
— Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the WAN interface of the NETGEAR R6700v3 in the router category
FAILURE - Unfortunately, Bien could not get his exploit to work within the time allotted.
— Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the NETGEAR R6700v3 in the router category
COLLISION - The two-bug exploit chain used by Bien included bugs used earlier in the competition. He still earn $2,500 and .5 Master of Pwn points.
— Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the WAN interface of the NETGEAR R6700v3 in the router category
FAILURE - Unfortunately, the IoT Inspector Research team could not get their exploit to work within the time allotted.
— Diffense Team targeting the LAN interface of the NETGEAR R6700v3 in the router category
FAILURE - Unfortunately, the Diffense Team could not get their exploit to work within the time allotted.
The results are posted
 
Last edited:

Gandalf_The_Grey

Level 55
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,449
Thursday, November 4
1000 - Martin Rakhmanov (@mrakhmanov) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
SUCCESS - Martin used a unique two-bug chain that included a command injection to compormise the NAS device. He earns himself $40,000 and 4 points towards Master of Pwn.
1030 - The Synacktiv (@Synacktiv) team targeting the LAN interface of the Cisco RV340 in the router category
COLLISION - The three-bug exploit chain used by the Synacktiv team included some known bugs. They still earn $7,500 and 1 Master of Pwn points.
1100 - Alexander Bolshev (@dark_k3y), Timo Hirvonen (@TimoHirvonen), and Dmitry Janushkevich (@InfoSecDJ) of F-Secure Labs (@fsecurelabs) targeting the HP Color LaserJet Pro MFP M283fdw in the printer category
SUCCESS - The team from F-Secure Labs used a single stack-based buffer overflow to take over the printer and turn it into a jukebox. They earn $20,000 and 2 Master of Pwn points.
1200 - The STARLabs Team targeting the beta version of the 3TB My Cloud Home Personal Cloud from WD in the NAS category
SUCCESS - The STARLabs team of Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) combined an OOB Read and a heap-based buffer overflow to exploit the beta version of the 3TB My Cloud Home Personal Cloud from WD. They earn $45,000 and 5 Master of Pwn points.
1230 - Stephen Fewer (@stephenfewer) of Relyze Software Limited (www.relyze.com) targeting the LAN interface of the Cisco RV340 in the router category
COLLISION - The four-bug exploit chain used by the Stephen included some known bugs. His successful demonstration still earns him $10,000 and 1.5 Master of Pwn points.
1300 - Sam Thomas (@_s_n_t) from team Pentest Limited (@pentestltd) targeting the Samsung Galaxy S21 in the mobile phone category
SUCCESS - Sam used a three-bug chain to get code execution on the Sumsung Galaxt S21. This successful demonstration earns him $50,000 and 5 Master of Pwn points.
1400 - The Synacktiv (@Synacktiv) team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category
COLLISION - The Synacktiv team used a two-bug chain to compromise the 3TB My Cloud Home Personal Cloud, but one of the bugs had been used prior in the contest. Their demonstration still earns them $20,000 and 2 Master of Pwn points.
1500 - Chris Anastasio (@mufinnnnnnn) targeting the Lexmark MC3224i in the printer category
COLLISION - Chris used a four-bug chain to compromise the Lexmark printer, but one of the bugs had been used prior in the contest. His efforts still earns him $17,500 and 1.75 Master of Pwn points.
1600 - The STARLabs Team targeting the LAN interface of the NETGEAR R6700v3 in the router category
FAILURE - Unfortunately, the STARLabs Team could not get their exploit to work within the time allotted.
1700 - Stephen Fewer (@stephenfewer) of Relyze Software Limited (www.relyze.com) targeting the LAN interface of the NETGEAR R6700v3 in the router category
SUCCESS - Stephen used an uninitialized variable to get a root shell via the LAN interface of the NETGEAR R6700v3 router. He earns $5,000 and 1 Master of Pwn point.
Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.
The Synacktiv (@Synacktiv) team targeting the WAN interface of the NETGEAR R6700v3 in the router category
SUCCESS - The Synactiv team used an improper certificate validation and a stack-based buffer overflow to compromise the NETGEAR router via the WAN interface. They earn $20,000 and 2 critical Master of Pwn points.
— Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the LAN interface of the NETGEAR R6700v3 in the router category
COLLISION - Pedro and Radek leveraged 2 bugs to exploit the NETGEAR R6700 router via the LAN interface, but the path traversal they chose was an N-day. This still earns them $3,750 and .75 Master of Pwn points.
The results are posted
 
Last edited:

LASER_oneXM

Level 37
Verified
Top poster
Well-known
Feb 4, 2016
2,574
Contestants hacked the Samsung Galaxy S21 smartphone during the second day of the Pwn2Own Austin 2021 competition, as well as routers, NAS devices, speakers, and printers from Cisco, TP-Link, Western Digital, Sonos, Canon, Lexmark, and HP.

So far, Trend Micro's Zero Day Initiative has awarded $777,500 over the first two days of Pwn2Own Austin, with $415,000 awarded during the second day and $362,500 won during the first day.
 

Gandalf_The_Grey

Level 55
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,449
First day report from the same site:
During the first day of Pwn2Own Austin 2021, contestants won $362,500 after exploiting previously unknown security flaws to hack printers, routers, NAS devices, and speakers from Canon, HP, Western Digital, Cisco, Sonos, TP-Link, and NETGEAR.
 

Gandalf_The_Grey

Level 55
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,449
Friday, November 5
1
1000 -
Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category
SUCCESS - The DEVCORE team combined an OOB Read and an OOB Write to sucessfully exploit the 3TB My Cloud Home Personal Cloud from WD. This unique bug chain earned them $40,000 and 4 Master of Pwn points.
1030 - Diffense Team targeting the LAN interface of the Cisco RV340 in the router category
COLLISION - The Diffense Team leveraged 4 bugs to exploit the Cisco RV340 router via the LAN interface, but some of the bugs had been seen earlier in the conference. This still earns them $10.000 and 1.5 Master of Pwn points.
1100 - Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH), and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence targeting the Lexmark MC3224i in the printer category
COLLISION - The team from CrowdStrike had no problem taking over the Lexmark printer using a three-bug chain, however all of the bused used had been seen earlier in the contest. Their effort wins them #10,000 and 1 Masrer of Pwn point.
1200 - The NullRiver team of Xin’an Zhou, Xiaochen Zou, Zhiyun Qian targeting the LAN interface of the NETGEAR R6700v3 in the router category
1230 - Final wrap-up and the crowning of the Master of Pwn

Congratulations to the Synacktiv team for being crowned Master of Pwn! It was a tight race, but their combined efforts held off all challengers.
MoP+Standings-9.jpg

Thanks again to our partners Western Digital as well as our sponsor Synology. Thanks also to the researchers who participate and to the vendors for providing fixes for what’s discovered during the contest. As a reminder, vendors have 120 days to produce a fix for all vulnerabilities reported.
Results posted, but they forgot: "1200 - The NullRiver team of Xin’an Zhou, Xiaochen Zou, Zhiyun Qian targeting the LAN interface of the NETGEAR R6700v3 in the router category", that was SUCCESS according to their Twitter feed.
 
Last edited:

Gandalf_The_Grey

Level 55
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,449
Pwn2Own: Printer plays AC/DC, Samsung Galaxy S21 hacked twice
Trend Micro's ZDI has awarded $1,081,250 for 61 zero-days exploited at Pwn2Own Austin 2021, with competitors successfully pwning the Samsung Galaxy S21 again and hacking an HP LaserJet printer to play AC/DC's Thunderstruck on the contest's third day.

Contestants earned $70,000 during the fourth day, $238,750 on the third day, $415,000 on the second, and $362,500 during the first day.

The Synacktiv team won the contest after getting $197,000 in cash for their zero-days and 20 Master of Pwn points, with a six-point lead over the DEVCORE team, which finished with 14 points and earned a total of $140,000.

Over the four days of competition, the contestants compromised printers, routers, NAS devices, and speakers from Canon, HP, Western Digital, Cisco, Sonos, TP-Link, and NETGEAR after exploiting 61 previously unknown security flaws known as zero-day vulnerabilities.

The full Pwn2Own Austin 2021 schedule and the results following each challenge are available here.
 
Top