Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Pwn2Own 2021 Day 2 – experts earned $200K for a zero-interaction Zoom exploit

Pwn2Own 2021 – Day 2: a security duo earned $200,000 for a zero-interaction Zoom exploit allowing remote code execution. One of the most interesting working exploits of the second day of the Pwn2Own 2021 was demonstrated by security researchers Daan Keuper and Thijs Alkemade from Computest. The duo successfully targeted Zoom Messenger in the Enterprise […]

Pwn2Own 2021 2

Pwn2Own 2021 – Day 2: a security duo earned $200,000 for a zero-interaction Zoom exploit allowing remote code execution.

One of the most interesting working exploits of the second day of the Pwn2Own 2021 was demonstrated by security researchers Daan Keuper and Thijs Alkemade from Computest. The duo successfully targeted Zoom Messenger in the Enterprise Communications category, the white-hat hackers chained three bugs to get code execution on the target system without user interaction. The duo earned $200,000 and received 20 Master of Pwn points.

The attack scenario sees the victim receiving a meeting invitation, but the bug chain is triggered even if the victim did not click anything.

The second highest payout of the day was assigned to the security researchers Bruno Keith and Niklas Baumstark of Dataflow Security who earned $100,000 for demonstrating an exploit for Chrome and Microsoft Edge web browsers.

“The team used a Typer Mismatch bug to exploit the Chrome renderer and Microsoft Edge. Same exploit for both browsers. They earn $100,000 total and 10 Master of Pwn points.” states the post published on the official site of the competition.

Jack Dates from RET2 Systems and Sunjoo Park (aka grigoritchy) exploited a logic bug to execute code on the underlying operating system through Parallels Desktop. The expert earned $40,000 and received 4 Master of Pwn points.

Manfred Paul earned $30,000 and 3 points towards Master of Pwn targeting Ubuntu Desktop, the hacker exploited an OOB Access bug to escalate to a root user on Ubuntu Desktop.

Day two ended with the success of a researcher that uses the moniker z3r09 targeting Windows 10. z3r09 exploited an integer overflow issue to escalate his permissions up to NT Authority\SYSTEM. He earned $40,000 and 4 Master of Pwn points.

The only partial success of the day was the result of the attempt of Team Viettel targeting Microsoft Exchange in the Server category.

Team Viettel successfully demonstrated their exploit on the Exchange server, but some of the bugs chained by the team had been previously reported in the contest. Anyway the team received 7.5 Master of Pwn points.

On the first day of the competition, participants earned more than half a million dollars for demonstrating to five working exploits out of seven attempts.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own 2021)

[adrotate banner=”5″]

[adrotate banner=”13″]