On Friday 6th of November, our very own Head of Research, Sam Thomas, took part in Pwn2Own Tokyo 2020. The event was streamed live from Toronto (due to the current Coronavirus restrictions) and all participants took part remotely, so we weren’t in Tokyo or Toronto (confusing right?).
What is Pwn2Own?
Pwn2Own has been around for 15 years now and the contest has grown to become one of the world’s largest hacking contests, with multiple events being held across the year. All Pwn2Own contests follow the same general approach.
Months before the event, the organisers will release a list of devices/software that they want participants to try to find exploits in. The researchers will then submit a detailed whitepaper explaining their exploits and detailed instructions and how to run them, Zero Day Initiative (ZDI) staff will verify this, and a shortlist will be chosen to demonstrate their findings on the actual device/software during the live event.
Teams are drawn into random lots to demonstrate their findings and a successful new exploit earns participants points. As always, points mean prizes, in this case cash. Points are added together and the team/participant with the most points at the end takes the overall ‘Master of Pwn’ title and trophy.
In terms of the exploits, once demonstrated, these are confidentiality disclosed to ZDI, who work directly with the manufacturers of the devices/software to develop security patches.
The devices on offer this year
The Tokyo Pwn2Own event focusses on connected devices such as mobile phones, TVs, smart speakers and wireless routers and a full list of the devices covered in the competition can be found here.
Our efforts were focused solely on the NAS (Network-Attached Storage) category and particularly the Western Digital My Cloud Pro Series PR4100 NAS device (try saying that fast 3 times), therefore we didn’t expect to compete for the overall ‘Master of Pwn’ title.
The goal set by the organisers on this NAS – achieve Remote Code Execution and receive a $20,000 cash prize, alongside 2 Master of Pwn points.
The research begins
We targeted this device because it has had a history of web application vulnerabilities and we began by carefully studying the attack surface exposed to unauthenticated users/attackers, as you would expect there was not very much. We eventually identified a subtle issue which would allow us to access further functionality, and after further investigation were able to leverage the issue to gain complete control of the device. Jackpot!
But not so fast, a prize in the Pwn2Own contest is never guaranteed and success can often come down to the luck of the draw. If we we’re drawn first in the demonstrations then the prize would be ours (assuming the demo ran successfully), but if another team went before us and demonstrated the same exploit, they’d get the glory and we’d walk away with nothing.
Things take a turn for the worse
With our exploit safely in the bag, we thought it was a case of sitting back and waiting for the event to start. How wrong we were.
A few days before the event, the vendor released a patch, fixing the issues we had discovered and completely breaking our exploit chain. We always recommend users patch software/devices and highly encourage vendors to release these vital security updates, but this is the one time we really wish they hadn’t.
So, what now?
PIVOT!
With a few days remaining until the contest, it was all hands-on deck to find another exploit which we could use. Sam worked tirelessly and somehow managed to find another exploit just in the nick of time. It wasn’t quite the exploit we had previously but given the time constraints it was the best we were going to get.
Shortly after this, the draw was made, we were fourth to demo on this device. Not great, but we had a new exploit and we just had to hope it hadn’t been found by another team.
The event itself
At 2pm Toronto time, 7pm our time, it was our turn to demo our new finding live.
We ran the exploit and a few seconds later our demo was successful, we had achieved arbitrary code execution through a combination of two bugs. Now, it was off to the disclosure room to disclose our findings and hope it hadn’t been submitted by any of the 3 previous teams.
