Pwn2Own 2014: $150,000 for an “exploit unicorn”
There are a few new rules for this years’ edition of the Pwn2Own hacking contest and a huge new prize for an “Exploit Unicorn worthy of myth and legend” – $150,000 for a system-level code execution on Windows 8.1 x64 on Internet Explorer 11 x64 with EMET bypass.
The news have been announced by HP ZDI’s manager Brian Gorenc, who explained that the “taming the Exploit Unicorn is a multi-step process” that has to follow a strict sequence:
The initial vulnerability utilized in the attack must be in the browser. The browser’s sandbox must be bypassed using a vulnerability in the sandbox. A separate privilege escalation vulnerability must be used to obtain SYSTEM-level arbitrary code execution on the target. The exploit must work when Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) protections are enabled.
Security researchers have taken to Twitter to comment on this Unicorn prize, some commenting on the questionable sequence, and others about whether the prize was worth “burning” three zero-day exploits when two could be enough.
Nevertheless, the challenge is a good one for drumming up excitement for the upcoming contest, and for testing the skill of the contestants.
The other two categories of the contest are the same as last year: Browsers and Plug-ins.
Researchers that manage to crack Chrome or Internet Explorer on Windows 8.1 x64 will get $100,000, those who successfully break Firefox (also on Windows) or Apple Safari on OS X Mavericks will receive $50,000 and $65,000, respectively.
Hacking Adobe Reader or Flash on IE 11 on Windows will be rewarded with $75,000, while bypassing Java on the same setup with $30,000.
Successful contestants will also receive the laptop on which they demonstrate the compromise, as well as 20,000 ZDI reward points, which automatically qualifies them for a one-time $5,000 cash payout, a 15% monetary bonus and a 25% reward-point bonus on all vulnerabilities submitted to ZDI during the next calendar year, and paid travel and registration to attend the 2014 DEFCON conference in Las Vegas.
Interested parties can find the complete rules of this year’s edition of the contest here.