SAFA and TeamT5 Take Part in Pwn2Own’s Vulnerability Demonstration

Cybersecurity is always a work in progress. That’s why SAFA and our key partner, TeamT5, regularly participate in ethical hacking events. They provide a venue to learn about current real-world security issues and sharpen our skills in solving them. This is why we traveled to Toronto, Canada, for the most recent Pwn2Own competition. 

The following story of our Pwn2Own experience will show how our team continually strives to learn and improve our cybersecurity skills and acumen. It will also provide a window into how such events harness competition and collaboration to make the cyber landscape safer for all of us. 

What is Pwn2own?

Pwn2Own is a renowned hacking competition that rewards cybersecurity specialists for acting like cyber criminals; it challenges contestants to discover and exploit vulnerabilities in various software and operating systems. The competition began with a simple challenge: find and exploit a vulnerability on a device, such as an Apple MacBook, and the device is yours to keep, hence the name.

The event provides a platform for cybersecurity researchers and ethical hackers to showcase their skills and by attempting to compromise the security of popular software and devices. Organized by Trend Micro’s Zero Day Initiative (ZDI), Pwn2Own is more than a contest; its prominence stems in part from its role in identifying and addressing critical security flaws.

During the competition, participants target a range of software applications, web browsers, operating systems, and other digital platforms. Successful exploitation of a vulnerability typically involves the execution of arbitrary code or the bypassing of security mechanisms. Nowadays, contestants who successfully compromise a system are awarded cash prizes in addition to the device they exploited. At the Toronto Pwn2Own, the total prize payout was $938,250.

Pwn2Own plays a crucial role in improving cybersecurity by incentivizing the discovery and responsible disclosure of security vulnerabilities. The competition not only fosters constructive competition among security researchers but also encourages software developers and vendors to enhance the robustness of their products. The insights gained from Pwn2Own contribute to the overall improvement of digital security, making it a significant event in the cybersecurity community.

SAFA and TeamT5’s First Pwn2Own

Pwn2Own contestants can choose from multiple categories and stages in which to compete. Ahead of the event, we put our heads together to decide on targets for exploitation. Since we’d been investing a lot of effort into IoT, we instinctively selected some targets from SOHO Smash-up, one of the categories contestants can choose from. We chose one from the initial stage and another from the final stage. The devices in the initial stage were all routers, likely exposed to the Internet, while devices in the final Stage were regular everyday devices like IP cameras, NAS, printers, and so forth. 

After selecting our targets, we began evaluating potential attack surfaces. It's worth mentioning that at Pwn2Own, besides the conventional approach of compromising devices directly from the external network (WAN) to gain control, they also entertain the idea of Man-in-the-Middle (MitM) attacks. In other words, if you can find a way for the device to interact with you, such an approach is fair game. For example, the device might regularly request a specific DNS domain or support a discovery protocol allowing attackers to impersonate a client and interact with it. Alternatively, you can also discuss typical device configurations and usage patterns with the organizers to explore whether certain attack strategies would be considered valid within the competition's context.

All teams must sign an NDA and submit the final whitepaper and vulnerability proof of concept (PoC) to ZDI, who retains IP rights of exploits and embargos their publication until they are fixed. Prior to the event, officials organize an online draw to let contestants know when their exploits will be tested. This allows them to see which teams are targeting what categories and devices. If someone else is testing your target, you can determine whether you’ll collide; if not, that points to the existence of other vulnerabilities to explore.  

A few days before the official testing began, we received an official communication from Pwn2Own. The message confirmed the final test versions for each target device and provided us with the Teams link and guidelines for the upcoming session. On the day of testing, organizers reached out again to ensure we'd checked relevant device settings, installed necessary libraries for our exploit, and confirmed language versions. They reiterated the rules for exploit testing: we’d have three opportunities to execute an exploit, not to exceed ten minutes each.

As we prepared for the competition, organizers made the rounds amongst contestants, casually talking shop about cybersecurity, discussing skills, inquiring about areas of specialization, and so forth. This helped to generate a sense of comradery amongst everyone in attendance.

After double checking all settings, organizers initiated the countdown and ran the designated exploit script. Even though we'd run countless tests in our local environment, the instant the organizers launched the process, seeing the screen fill with logging lines gave our team a competitive rush. Intensely focused, we hunted for the elusive root shell.

Our exploit attempt was successful. The organizers verified with us the root cause of the vulnerability and whether it matched any previously reported issues. If there's a collision in discoveries, points earned are reduced and the prize amount decreases. With that, the competition concluded, with final results posted to the organizer's X (Twitter) and official website.

The Vulnerability We Found

We identified a stack-based buffer overflow in

/lib/libjansson.so.4.7.0

The issue arose when encountering an object (JSON dictionary type) key. At that point, a call to

sscanf(key, "%s %s", v1, v2)

v1

v2

sscanf

libjansson.so.4.7.0

1
json_t *parse_object(lex_t *lex, int flags, void *error)
2
{
3
    // Stack variables
4
    char v1[32];
5
    char v2[12];
6
    // ...
7
    char *key;
8
    json_t *json;
9
    // ...
10
    while ( 1 )
11
    {
12
        // ...
13
        if ( memchr(key, 0, len) )
14
        {
15
            jsonp_free(key);
16
            error_set(error, lex, "NUL byte in object key not supported");
17
            goto error_exit;
18
        }
19
        v2[0] = 0
20
        _isoc99_sscanf(key, "%s %s", v1, v2);
21
        // ...
22
    }
23
    // ...
24
error_exit:
25
    json_decref(json);
26
    return 0;
27
}

An attacker could leverage this vulnerability to achieve remote code execution with a crafted request to the device. Thankfully, following our discovery, it was fixed in the latest version, as indicated in the release notes of BC500. We strongly recommend that you update your device as soon as possible for your own security.

Looking Ahead to our next Pwn2Own

Our first entrance into the Pwn2Own contest was a learning experience for our team. Despite being new to the event, we drew many valuable insights from the challenge it presented. The constructive competition amongst contestants, along with the cooperation and common goals of everyone involved, highlighted what the cybersecurity community can achieve when we come together.

Overall, our team enjoyed our first experience at Pwn2Own and are looking forward to our next entrance into the competition. We are aiming to come even more prepared, unveil more zero-days, and move the needle forward in cybersecurity for the good of all.