PwnFest is a “festival” that encourages hackers and security firms to target specific platforms as a means of demonstrating how vulnerabilities they find can be used in the wild. Participants receive a cash prize while platform developers receive information about vulnerabilities and how they are exploited. In the end, participants and general consumers are the two big winners stemming from the event.
That said, here are the targets and their cash rewards:
| Platform/OS/Device | Base Reward | Extra Reward |
| Microsoft Edge Windows 10 x64 Redstone 1 |
$120,000 | $20,000 |
| Android 7.0 Nexus 6p and Pixel |
$120,000 | $20,000 |
| Microsoft Hyper-V Windows Server 2016 |
$150,000 | none |
| Google Chrome Windows 10 x64 Redstone 1 |
$120,000 | $20,000 |
| Apple iOS 10 iPhone 7 Plus |
$120,000 | $60,000 |
| Apple Safari MacOS Sierra |
$80,000 | $20,000 |
| Adobe Flash Player Microsoft Edge Windows 10 x64 Redstone 1 |
$100,000 | $20,000 |
| VMWare Workstation Pro 1.2 Windows 10 x64 Redstone 1 |
$150,000 | none |
As for the participating teams, there appear to be six. Here they are with their targets:
| 360Vulcan 360Alpha 360Marvel |
Lokihardt | Team Pangu JH |
| Microsoft Edge | Microsoft Edge | Apple Safari |
| VMware Workstation 12.5.1 | VMware Workstation 12.5.1 | |
| Adobe Flash Player | ||
| Android 7.0 (via Pixel) |
On the Microsoft Edge front, vulnerabilities discovered in the Windows 10 browser enabled system-level remote code execution. To better understand system-level access, you have to look at how device operating systems are layered in a security sense. At the top layer, consumers will see the applications they normally use. Under that are device drivers with low privileges followed by device drivers with high privileges further underneath. The final bottom layer consists of the operating system’s central core, aka the kernel, that controls everything. Running a malicious program below the “user” layer grants a hacker special privileges that can go undetected by the device owner.
According to The Register, Lokihardt managed to successfully exploit Microsoft Edge’s security hole(s) in 18 seconds, whereas the length of time it took Qihoo 360’s team to hack Microsoft Edge was not provided. In fact, the Qihoo 360 team reportedly worked on developing its trio of attacks for a period of six months prior to this week’s event.
However, despite all that preparation, the Qihoo 360 team was forced to rework their Edge browser attack within a span of 30 hours. That is because Microsoft plugged three of the four available vulnerabilities in a patch on Tuesday released prior to this week’s hacking event.
Microsoft’s Edge browser was not the only piece of software to be exploited. Qihoo 360, a security firm located in China, pocketed $520,000 in total for their efforts, including exploiting Flash in four seconds to win $120,000. It also used an undisclosed vulnerability to hack the Google Pixel to allow remote code execution, which won them another $120,000. The following video shows the Pixel exploit as it happened.
Other exploits included the use of a root privilege escalation bug to win $80,000 for hacking Apple’s Safari browser. Edge was broken for prize money totaling $140,000. The prize money is sponsored by many of the same companies that publish software that is commonly the target of an attack and it is money well-spent — the companies can use the results of events like PwnFest to close security holes and avoid much more costly exploits down the road.
The details surrounding vulnerabilities exploited during PwnFest won’t be released to the public right away, but rather provided directly to the vendors so they can issue an immediate fix.
Updated on 11-14-2016 by Mark Coppock: Added information on further exploits achieved during PwnFest 2016.
