PWN2OWN AUSTIN 2021-The results of the hacker intrusion in the first two days and the schedule for the next two days

Tuesday, November 2

1000-Sam Thomas (@_s_n_t) from the Pentest Limited (@pentestltd) team aimed at the Western Digital My Cloud Pro series PR4100 in the NAS category

Success-Sam used a three-error chain containing insecure redirection and command injection to execute code on the Western Digital My Cloud Pro series PR4100. This successful demonstration earned him $40,000 and 4 Master of Pwn points.

1030-Bien Pham (@bienpnn) of Orca (security.sea.com) of Ocean Security Team aimed at the WAN interface of Cisco RV340 in the router category

Success-Bien Pham used a logical error to destroy the WAN interface of the Cisco RV340 router. He won 30,000 USD and 3 Pwn master points.

1100-Synacktiv (@Synacktiv) team aimed at Canon ImageCLASS MF644Cdw in the printer category

Success-The Synacktiv team used heap overflow to take over Canon ImageCLASS printers and successfully brought home the first printer category in Pwn2Own history. They get 20,000 USD and 2 Pwn Master of Pwn points.

1130 – trichimtrich and nyancat0131 aim at the LAN interface of TP-Link AC1750 Smart Wi-Fi in the router category

Success-trichimtrich uses out-of-bounds (OOB) reading to get the root shell through the LAN interface of the TP-Link AC1750 router. This earned him US$5,000 and 1 Pwn Master point.

1200 – The THEORI team (@theori_io) aimed at the Western Digital My Cloud Pro series PR4100 in the NAS category

Success-The THEORI team combined OOB reading and stack-based buffer overflow to take over the Western Digital My Cloud Pro series PR4100 NAS device. They used a unique error chain, so they got all 40,000 USD and 4 Pwn master points.

1230-Bien Pham (@bienpnn) from Orca (security.sea.com) of the marine security team, for the LAN interface of the Cisco RV340 in the router category

Success-Bien Pham from Sea Security’s Orca team used a three-vulnerability chain, including an authentication bypass and a command injection, to take over the Cisco RV340’s LAN interface. This effort earned him $15,000 and 2 Pwn master points.

1300 – Ken Gannon (@yogehi) of F-Secure Labs (@fsecurelabs) for Samsung Galaxy S21 in the mobile phone category

Failure-Unfortunately, Ken was unable to use his vulnerability within the stipulated time.

1400-Bugscale for the Western Digital My Cloud Pro series PR4100 in the NAS category

Conflict-The exploit chain used by Bugscale contains known bugs. They still earn $20,000 and 2 Master of Pwn points.

1430 – Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH) and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence’s LAN interface for Cisco RV340 in the router category

Conflict-The exploit chain used by the CrowdStrike team contains some known bugs. They can still earn $10,000 and 1.5 Master of Pwn points.

1500-Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE research team, targeting Canon ImageCLASS MF644Cdw in the printer category

Success-The DEVCORE team used a stack-based buffer overflow to take over Canon ImageCLASS printers. This unique error chain earned them $20,000 and 2 master points.

1530-Bien Pham (@bienpnn) from the marine security team Orca (security.sea.com) aimed at the LAN interface of the TP-Link AC1750 smart Wi-Fi router in the router category

Success-Bien Pham used the OOB read error to control the TP-Link AC1750 router through the LAN interface, thus completing the first day. This earned him another $5,000 and 1 master point.

1630-Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE research team, targeting Sonos One Speaker in the home automation category

Success-DEVCORE team used integer underflow to get code execution on Sonos One Speaker. They received 60,000 USD and 6 Pwn Master of Pwn points.

1700-Gaurav Baruah (@_gauravb_) for the WAN interface of Cisco RV340 in the router category

COLLISION-Partial collision. One of the vulnerabilities used by Gaurav is previously known. He still has $22,500 and 2.5 Master of Pwn points.

1730 – THEORI team (@theori_io) 3TB My Cloud Home personal cloud for WD in the NAS category

Success-The THEORI team used stack-based buffer overflow to execute code on WD’s 3TB My Cloud Home Personal Cloud. This will earn them US$40,000 and 4 Master of Pwn points, which will give them a total of US$80,000 and 8 points in 1 day.

1800-Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE research team for HP Color LaserJet Pro MFP M283fdw in the printer category

Success-The DEVCORE team used stack-based buffer overflow to gain code execution capabilities on HP Color LaserJet Pro. They earned another 20,000 USD and 2 Master of Pwn points, bringing their total points on the first day to 100,000 USD and 10 Master of Pwn points.

Due to time constraints and resource constraints, the following attempts will be conducted outside of the evening live broadcast. The results of these attempts will still be reported here and on Twitter.

— Trichimtrich and nyancat0131 are for the LAN interface of NETGEAR R6700v3 in the router category

Success-trichimtrich uses integer overflow to obtain code execution through the LAN interface of the NETGEAR R6700v3 router. They won another reward of $5,000 and 1 point for Master Pwn.

— Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro)’s flashback team aimed at the WAN interface of NETGEAR R6700v3 in the router category

Failure-Unfortunately, the Flashback team was unable to make their vulnerability work within the allotted time.

— Bugscale for the LAN interface of NETGEAR R6700v3 in the router category

Success-The Bugscale team combined authorization bypass with command injection errors to execute code on the LAN interface of the NETGEAR router. They earn $5,000 and 1 master point.

— Crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201 and friends of Mofoffensive Research Team aim at the LAN interface of NETGEAR R6700v3 in the router category

Success-The Mofoffensive research team combined heap overflow and stack-based buffer overflow to execute code on the LAN interface of the NETGEAR R6700 router. Their efforts earned 5,000 USD and 1 Pwn point.

Wednesday, November 3

1000 – NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) aimed at the Western Digital My Cloud Pro series PR4100 in the NAS category

Success-NCC Group used memory corruption errors to execute code on the Western Digital My Cloud Pro series PR4100 in three different ways (and overcame the time issue). They earned $40,000 and 4 Master of Pwn points for themselves.

1030 – Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro)’s flashback team aimed at the WAN interface of the Cisco RV340 in the router category

Success-Pedro and Redek’s Flashback team used an impressive stack-based buffer overflow to execute code on the WAN interface of the Cisco RV340 router. They earn $30,000 and 3 Master of Pwn points.

1100-Sacco Devillers (@nikaiw), Jean-Romain Garnier and Raphael Rigo (@_trou_) Printer category positioning Canon’s imageCLASS MF644Cdw

Success-The team of Nicolas Devillers, Jean-Romain Garnier, and Raphael Rigo achieved code execution on Canon ImageCLASS printers through a stack-based buffer overflow. This unique error chain earned them $20,000 and 2 Master of Pwn points.

1130-crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201, and friends of the Mofoffensive Research Team aimed at the LAN interface of the TP-Link AC1750 smart Wi-Fi router in the router category

Failure-Unfortunately, the Mofoffensive team was unable to make his vulnerability work within the allotted time.

1200 – Synacktiv (@Synacktiv) team aimed at Western Digital My Cloud Pro series PR4100 in the NAS category

Success-Synacktiv team used configuration error vulnerability to execute code on PR411. They earn $40,000 and 4 Master of Pwn points.

1230-Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab for the LAN interface of Cisco RV340 in the router category

Success-Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab used 3 unique errors, including authorization bypass and command injection, to execute code on Cisco RV340 through the LAN interface. They earn $15,000 and 2 Master of Pwn points.

1300 – STARLabs team targets Samsung Galaxy S21 in the mobile phone category

Conflict-The exploit chain used by the STARLabs team contains bugs known to the vendor. They still earn $25,000 and 2.5 Master of Pwn points.

1400-Synacktiv (@Synacktiv) team aimed at Sonos One Speaker in the home automation category

Success-The Synacktiv team used a stack-based buffer to disrupt the Sonos One speakers and play the tune for us. They earn $60,000 and 6 Master of Pwn points.

1430 – trichimtrich and nyancat0131 are for the WAN interface of Cisco RV340 in the router category

Success-trichmitrich is used almost all the time, but his command injection errors are unique. He took over the Cisco RV340 through the WAN interface and earned him $30,000 and 3 Master of Pwn points.

1500-Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE research team aimed at the Western Digital My Cloud Pro series PR4100 in the NAS category

Collision-The DEVCORE team successfully exploited WD PR411, but the vulnerability they exploited has been used in competitions before. Their work still earned them US$20,000 and 2 Pwn points.

1530-STARLabs team aimed at the LAN interface of the TP-Link AC1750 smart Wi-Fi router in the router category

Conflict-The STARLabs team used the LAN interface of the TP-Link AC1750 router, but they used a known bug. This still netted them $2,500 and 0.5 Pwn Master points.

1600-Synacktiv (@Synacktiv) team targeted Lexmark MC3224i in the printer category

Success-The Synacktiv team combined three unique errors, including unprivileged access errors and command injection errors, to execute code on the Lexmark MC3224i printer. They earned 20,000 USD and 2 Pwn master points.

1700 – STARLabs team aimed at the Western Digital My Cloud Pro series PR4100 in the NAS category

Conflict-The exploit chain used by Nguy?n Hoàng Th?ch (hi_im_d4rkn3ss) of the STARLabs team includes errors previously used in the competition. They still earn $20,000 and 2 Master of Pwn points.

1745-Synacktiv (@Synacktiv) team aimed at HP Color LaserJet Pro MFP M283fdw in the printer category

COLLISION-The exploit chain used by the Synacktiv team contains a bug that was used early in the game. They still earn $10,000 and 1 master point.

Due to time constraints and resource constraints, the following attempts will be conducted outside of the evening live broadcast. The results of these attempts will still be reported here and on Twitter.

— Q. Kaiser & T. Shiomitsu from the IoT Inspector research laboratory, targeting the Western Digital My Cloud Pro series PR4100 in the NAS category

Failure-Unfortunately, the IoT Inspector research team was unable to make their vulnerability work within the stipulated time.

— The goal of the STARLabs team is WD’s 3TB My Cloud family personal cloud in the NAS category

Conflict-The exploit chain used by Nguy?n Hoàng Th?ch (hi_im_d4rkn3ss) and Phan Thanh Duy (PTDuy) of STARLabs took over the 3TB My Cloud Home personal cloud from WD and used the vulnerability found in the competition. They still earn $20,000 and 2 Master of Pwn points.

— Diffense team for the Western Digital My Cloud Pro series PR4100 in the NAS category

Collision-In their Pwn2Own debut, the Diffense Team collided. They were able to use the Western Digital My Cloud Pro series PR4100, but the vulnerability they used was also used on the first day. They still received $20,000 and two Master of Pwn points when they debuted.

—Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE research team aimed at Lexmark MC3224i in the printer category

Success-The DEVCORE team used a code injection vulnerability to take over the Lexmark MC3224i printer. This unique error chain earned them $20,000 and 2 master points.

— NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) for Lexmark MC3224i in the printer category in the printer category

Success-NCC Group needed multiple attempts again, but they successfully took advantage of the file writing error of Lexmark MC3224i. Earn $20,000 and 2 Master of Pwn points.

— Bien Pham (@bienpnn) Orca (security.sea.com) from the Marine Security Team, for the WAN interface of NETGEAR R6700v3 in the router category

Failure-Unfortunately, Bien was unable to make his loophole work within the allotted time.

-Bian Fan (@bienpnn from Orca () security.sea.com of the Maritime Security Team) LAN interface router category for NETGEAR R6700v3

COLLISION-The two exploit chains used by Bien include vulnerabilities used early in the competition. He still earns $2,500 and 0.5 Master Pwn points.

— Q. Kaiser & T. Shiomitsu from the IoT Inspector research laboratory, targeting the WAN interface of NETGEAR R6700v3 in the router category

Failure-Unfortunately, the IoT Inspector research team was unable to make their vulnerability work within the stipulated time.

— Diffense Team is aimed at the LAN interface of NETGEAR R6700v3 in the router category

Failure-Unfortunately, the Diffense team was unable to make their vulnerability work in the allotted time.

Thursday, November 4

1000 – Martin Rakhmanov (@mrakhmanov) for the Western Digital My Cloud Pro series PR4100 in the NAS category

1030-Synacktiv (@Synacktiv) team aimed at the LAN interface of Cisco RV340 in the router category

1100 – Alexander Bolshev (@dark_k3y), Timo Hirvonen (@TimoHirvonen) and Dmitry Janushkevich (@InfoSecDJ) of F-Secure Labs (@fsecurelabs) target HP Color LaserJet Pro MFP M283fdw in the printer category

1200 – The goal of the STARLabs team is the 3TB My Cloud Home Personal Cloud beta version of WD in the NAS category

1230 – Stephen Lesser (@stephenfewer) of Relyze Software Limited (www.relyze.com) for the LAN interface of Cisco RV340 in the router category

1300-Sam Thomas (@_s_n_t) from the Pentest Limited (@pentestltd) team aimed at Samsung Galaxy S21 in the mobile phone category

1400 – Synacktiv (@Synacktiv) team’s 3TB My Cloud Home personal cloud for WD in the NAS category

1500-Chris Anastasio (@mufinnnnnnn) for Lexmark MC3224i in the printer category

1600-STARLabs team for LAN interface of NETGEAR R6700v3 in the router category

1700 – Stephen Lesser (@stephenfewer) of Relyze Software Limited (www.relyze.com) for the LAN interface of NETGEAR R6700v3 in the router category

Due to time constraints and resource constraints, the following attempts will be conducted outside of the evening live broadcast. The results of these attempts will still be reported here and on Twitter.

— Synacktiv (@Synacktiv) team aimed at the WAN interface of NETGEAR R6700v3 in the router category

— Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro)’s flashback team aimed at the LAN interface of NETGEAR R6700v3 in the router category

Friday, November 5

1000-Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE research team, the target is WD’s 3TB My Cloud family personal cloud in the NAS category

1030-Diffense Team for the LAN interface of Cisco RV340 in the router category

1100 – Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH) and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence for Lexmark MC3224i in the printer category

1200-The NullRiver team of Zhou Xinan, Zou Xiaochen, and Qian Zhiyun aimed at the LAN interface of NETGEAR R6700v3 in the router category

1230-Final summary and coronation of Master Pwn

The Links:   KCS3224ASTT-X9 MG50Q2YS91 LCD-PANEL

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *