As is now tradition, in December 2022 we took part in Pwn2Own. This time, live from Toronto. As always, we sadly weren’t in Toronto to compete, but maybe next year boss? Hint hint.
For the second year running, we decided to target the latest Western Digital NAS device (PR4100) and the latest Samsung Galaxy mobile phone (the S22 in this case). And just like last year, we were able to successfully compromise both, earning $45,000 in prize money and 9 Master of Pwn points.
But this year’s success was even more impressive, with the fact that we were able to compromise the Samsung S22 mobile using a 1 click 0day vulnerability and in less than a minute.
Of course, when you compromise a well-known device such as a Samsung Galaxy s22 it’s going to generate some buzz and boy did it. “Samsung Galaxy S22 hacked in 55 seconds on Pwn2Own Day 3” said Bleeping Computer. Even the organisers, ZDI, were impressed, with Dustin Childs, ZDI’s Head of Threat Awareness, saying “My favourite for style was the Mario hack, my favourite for substance was Pentest doing the Samsung phone in 55 seconds”. High praise indeed.
Whilst the headlines and the praise focused on the speed of the compromise, that certainly wasn’t the full story. What was heralded as a 55 second hack took nearly two months of work to make happen. So, with that in mind, we wanted to give you a bit more of insight into goings on behind the scenes and how we approached the competition.
Let’s start at the beginning (the approach)
Selecting your targets for a competition such as Pwn2Own can be a bit of conundrum, there are a lot of exciting devices to go after, but there’s only a limited timeframe to get hold of a device (or one running the same software), familiarise yourself with the inner workings and find high level vulnerabilities. Choose wisely and you set yourself a good platform for potential success, choose poorly and time can easily slip away without even scratching the surface. Careful consideration is therefore needed.
However, this year was a little different. Having already taken part in Pwn2Own for a few years, we already had a familiarity with Samsung and Western Digital NAS devices, their firmware and their software. That certainly made choosing targets easier and allowed us to cut out a lot of time in the target consideration stage.
Whilst we already had familiarity with the devices in question, it’s always important to refamiliarise with the targets, understanding what patches may have been applied since we last looked at them and where significant updates may have been made.
Understanding the patches applied can often provide quick wins when looking for high risk vulnerabilities, and the first stage of our research was to check if patches could be bypassed directly by our previous exploits or to find potential attack variants of earlier vulnerabilities which may not have been covered by the patches in question.
And so, it was the case here. Whilst significant aspects of our earlier entries had been addressed by the patches implemented on both devices, with a little creativity and a lot of hard work, we were able to find new methods which built on weaknesses illustrated by our previous entries.
The event itself
As with previous years, we took part in the competition remotely and all entries had to be ready and submitted days ahead of time. Once our entries were in, there was a nerve-wracking wait to see where we were drawn against other competitors targeting the same devices.
Sadly, the draw wasn’t favourable to us this year, in fact, it was the worst possible result as we were drawn 5th out of 5 for our attempt on the Samsung S22 and 3rd out of 4 for our attempt on the PR4100. The likelihood of having a bug collision was therefore much higher, potentially limiting our chances of success.
However, in the end, we didn’t need to worry as both our entries not only succeeded, but were also unique, earning us 9 Master of Pwn points and $45,000 in prize money.
Following the competition, patches have been released by both manufacturers and advisories have been published outlining the issues we exploited. You can read these advisories below:
– Permissive List of Allowed Inputs Remote Code Execution Vulnerability – ZDI-23-774
Western Digital NAS device (PR4100)
On the PR4100, we had to chain three vulnerabilities to gain code execution in the contest.
– Server-Side Request Forgery (SSRF) – ZDI-23-850
– Uncontrolled Resource Consumption Denial-of-Service – ZDI-23-851
– Command Injection Remote Code Execution – ZDI-23-852
Whilst it’s often difficult to find vulnerabilities that would qualify for the contest, we tried to focus our efforts on bugs which we hoped would be unique amongst the entrants. This was put to a severe test this year with our unlucky draw, so we were delighted to find that the vulnerabilities we found did not collide with anyone else’s.
Let’s hope for a better draw next year!