Microsoft’s Windows 10, Exchange, and Teams hacked at Pwn2Own

On the first day of the Pwn2Own 2021 hacking competition, participants earned more than half a million dollars, including $440,000 for demonstrating exploits against Microsoft products.

This year’s Pwn2Own has a great start, with teams of various cybersecurity groups hitting popular software like Windows 10, Ubuntu, Microsoft Teams, etc. The Devcore team has won $200,000 cash and 20 Master of Pwn points for achieving RCE access into the Microsoft Exchange server by exploiting two bugs of authentication bypass and a local privilege escalation.

Another group called Team Viettel has earned a $40,000 prize and 4 Master of Pwn points in the Local Escalation of Privilege category by exploiting a bug in the Windows 10 OS that led them to escalate privileges to SYSTEM from being a regular user.

The first to fall was Microsoft Exchange in the Server category after the Devcore team achieved remote code execution on an Exchange server by chaining together an authentication bypass and a local privilege escalation. This brought them $200,000 and 20 Master of Pwn points.

Next, a security researcher using the OV online moniker successfully obtained code execution on Microsoft Teams in the Enterprise Communications category by combining two separate security bugs. He also earned $200,000 and 20 Master of Pwn points.

Team Viettel earned $40,000 and 4 Master of Pwn points after escalating privileges to SYSTEM from a regular user on Windows 10 while competing in the Local Escalation of Privilege category.

As is usually par for the course with Pwn2Own week, many of these vulnerabilities should be patched in short order, either with an out of band patch or the next regularly scheduled round of updates. While vendors have 90 days to produce fixes for the vulnerabilities reported, some roll out patches much quicker. Mozilla engineers patched a Firefox vulnerability in less than a day a few years ago.

While the details of the Exchange bug aren’t fully known – other than that it combined an authentication bypass and a local privilege escalation – the fact that it even surfaced adds fuel to the proverbial Exchange fire from the last month.

Adminstrators have had their hands full over the last month plus scrambling to patch four zero day vulnerabilities in Microsoft Exchange Server that were being used in active attacks against enterprises by a state-sponsored hacking group, Hafnium. Microsoft said in late March that Microsoft earlier this week said that 92% of vulnerable Exchange servers had been patched or had mitigations applied.

There is also an automotive category this year for hacking Tesla cars. Participants have been offered up to $600,000 and a vehicle, but it seems no one has signed up for this category. A team of researchers did earn a Tesla back in 2019when the automotive hacking category was introduced at Pwn2Own. In 2020, contestants didn’t have the opportunity to hack a Tesla due to the coronavirus pandemic.

The prize pool for Pwn2Own 2021 exceeds $1.5 million in cash and other prizes. At last year’s event, participants onlyearned $270,000for their exploits.