A $ 200,000 prize was won by two security researchers on the second day of the Pwn2Own 2021 competition, with an exploit for Zoom flaws that allowed remote code execution. The failures and proof of concept were demonstrated by Daan Keuper and Thijs Alkemade, both from the company Computest. Access involves three vulnerabilities and works on the latest versions of Windows 10 and Zoom. In the Pwn2Own demo, the fake victim saw a meeting invitation from the attacker and didn’t have to click on anything to trigger code execution.
On the first day of the competition, participants won $ 570,000, including $ 440,000 for exploits targeting Microsoft products (Teams, Exchange and Windows). According to the Zero Day Initiative (ZDI), Trend Micro’s initiative that organizes the competition, it is the first time that more than one million dollars have been paid at Pwn2Own. Researchers Bruno Keith and Niklas Baumstark, from Dataflow Security, were awarded US $ 100,000 on the second day of the competition, for exploiting flaws in Chrome and Microsoft Edge browsers.
On the first day, attempts to hack the Parallels virtual machine failed, but on the second day, researcher Jack Dates, from RET2 Systems, and also Sunjoo Park, earned $ 40,000 each from being able to run code on the underlying operating system through the application. Parallels Desktop.
There have also been two successful attempts to escalate privileges in Windows 10 and a successful exploitation of privilege escalation in Ubuntu. These participants won $ 40,000 and $ 30,000, respectively.
With international news agencies
See the original post at: https://www.cisoadvisor.com.br/disputa-no-pwn2own-2021-mostra-falhas-no-zoom-teams-exchange/?rand=59039