Windows 10, iOS 15, Google Chrome, Apple Safari, Microsoft Exchange Server and Ubuntu 20 managed to use original and never-before-seen exploits during the Tianfu Cup 2021, the fourth edition of the international cybersecurity competition held in the city. from Chengdu, China.
Targets this year included Google Chrome running on Windows 10 21H1, Apple Safari running on Macbook Pro, Adobe PDF Reader, Docker CE, Ubuntu 20 / CentOS 8, Microsoft Exchange Server 2019, Windows 10, VMware Workstation, VMware ESXi, Parallels Desktop, iPhone 13 Pro running iOS 15, home mobile phones running Android, QEMU VM, Synology DS220j DiskStation, and ASUS RT-AX56U router.
The Chinese version of Pwn2Own was launched in 2018 following a country’s government regulation prohibiting security researchers from participating in international hacking competitions due to national security concerns.
Except Synology DS220j NAS, Xiaomi Mi 11 smartphone and unnamed Chinese electric vehicle, attacks have been successfully mounted against all other targets –
- Adobe PDF Reader
- Apple iPhone 13 Pro (under iOS 15)
- Apple Safari
- ASUS RT-AX56U
- Docker CE
- Google chrome
- Microsoft Exchange Server
- Microsoft Windows 10
- Parallels Desktop
- VM QEMU
- Ubuntu 20 / CentOS 8
- VMware ESXi
- VMWare workstation
The two-day tournament, which took place the weekend of October 16 and 17, saw security researchers win 1.88 million cash prizes, with Kunlun Lab take the first place ($ 654,500) for demonstrating successful exploits in iOS 15, including a remote code execution flaw in mobile Safari in 15 seconds. Researchers from the cybersecurity company have also asked Google Chrome “to gain kernel-level privileges of the Windows system with only two bugs,” Kunlun Lab CEO @ mj0011 tweeted.
Team PangU came in second with a total of $ 522,500 for showing off a remote jailbreak in iPhone13 Pro running iOS 15, marking the first time the newly released iPhone model has been cracked in a forum. public, while the Vulnerability Research Institute (VRI) came in third with $ 392,500.
Details of the vulnerabilities have not been made public, but companies are expected to release fixes for the newly discovered vulnerabilities in the coming weeks.