Pwn2Own 2017 Offers Big Bounties For Linux, Browser, and Apache Exploits

Now that TrendMicro owns TippingPoint, there'll be "more targets and more prize money" according to eWeek, and something special for Pwn2Own's 10th anniversary in March. Slashdot reader darthcamaro writes: For the first time in its ten-year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.
"We are nine weeks away," TrendMicro posted Wednesday, pointing out that they're giving out over $1 million in bounties, including the following:

• $100,000 for escaping a virtualization hypervisor
• $80,000 for a Microsoft Edge or Google Chrome exploit
• $50,000 for an exploit of Adobe Reader, Microsoft Word, Excel or PowerPoint
• $50,000 for an Apple Safari exploit
• $30,000 for a Firefox exploit
• $30,000, $20,000 and $15,000 for privilege-escalating kernel vulnerabilities on Windows, macOS and Linux (respectively)
• $200,000 for an Apache Web Server exploit

thought

[buddyglass]

Microsoft, Adobe, Google, Apple, and maybe some of the larger linux contributors/users (IBM, Oracle, Amazon) should form a sort of "consortium" and chip in $1M/year each to fund a much more lucrative version of pwn2own. That's chump change to them. With ~$8M in prizes yearly, I dare say we'd eliminate a lot of security flaws.

Re:thought

People aren't going to magically discover security flaws just because you offer to pay a reward. You can't demand insight on a schedule. And because the result is unpredictable, the consortium won't want to gamble and lose. Quarterly thinkers want return on investment and not nebulous money sinks.

Re:thought

Um yeah they will. Money encourages people to look...which is how bugs are found.

Re:thought

It's also better just to pay these people outright and getting the problems fixed vs having them doing the same thing for shits and giggles with the vulnerable software not being fixed. I see this as a win-win for everybody.

Re: thought

[dougdonovan]

microsoft did this 10 years ago ...good luck to pwn ...u r not microsoft...check your ipo & good luck w/ linus.

Re:thought

[buddyglass]

If you offer the money and nobody claims it then you haven't lost. If nothing else, you can use it as P.R.

Now that I've had some time to think about it more, what would worry me is that if the prize were lucrative enough, people might delay reporting flaws they've found in order to claim the yearly prize. So it would really need to be an "all the time" thing and not necessarily a yearly thing.

Re:thought

[Gumbercules!!]

They're not hoping people will magically discover flaws because of the reward, rather that they will turn in known vulnerabilities or not hand them over to the black market, for money.

no thanks

id rather be poor and look be able to spy on you all ....hhehehehehe

and i have several exploits that work on everything listed enjoy , if the nsa wants to spy so do i...

Apache is trivial to exploit

When paired with mod_php it is child's play.

How about targeting nginx, a superior web server?

Re:Apache is trivial to exploit

Put up or shut up.

I'm very glad to see pwn2own targeting linux-- as a linux user, the more good guys finding bugs the better...

Re:Apache is trivial to exploit

[ledow]

Go claim your $200,000 then.

Re:Apache is trivial to exploit

[93+Escort+Wagon]

Go claim your $200,000 then.

One problem - his mom won't let him travel alone...

Re:Apache is trivial to exploit

There are about a dozen new apache exploits every week. Are you that stupid?

There are about 100 new php exploits every day. Fuckstain.

I suspect that the number of exploitable Apache bugs is quite small. You are particularly stupid, and supremely entitled to the epithet you have bandied about.

Re:Apache is trivial to exploit

[gravewax]

I would expect the Apache prize to be claimed pretty quickly, They seem to have gotten worse in recent years rather than improving.

Re:Apache is trivial to exploit

Reference? Apache core vulns are fairly rare. Third party modules are usually the problem.

For example, was httpoxy Apache's fault, or Perl/Python/PHP's fault? I'd argue it was a problem in the 3 Ps, but that it was appropriate for Apache to build a protection against it.

Submitter missed one of the bounties

[93+Escort+Wagon]

$1.99 for a working IIS exploit.

Re: Submitter missed one of the bounties

[pellik]

That would blow the budget.

Re: Submitter missed one of the bounties

I was pretty much under the impression that IIS properly configured wasn't really that bad anymore. If it were, wouldn't more people be attacking web servers hosting multiple sites?

Is there a good site with known to work exploits for IIS? I'm not interested in hacking but more interested in identifying methods of securing my sites.

If I am correct, IIS web sites are executed with a user privilege not admin. If anything, I'd imagine it would require a windows exploit as opposed to an IIS exploit to attack it.

Re:Submitter missed one of the bounties

IIS for the last 5 or 6 years at least has been far more secure than apache.

Re: Submitter missed one of the bounties

yep, IIS being the laughing stock of security is really ancient history. If anything it tends to do better on security now than Apache.

Re: Submitter missed one of the bounties

You are correct IIS exploits for iis7+ are rare.
It's something MS actually got right when they rewrote everything around the svr2008\r2 time frame and since.

Re:Submitter missed one of the bounties

[wvmarle]

Joking aside, if prize money is related to the difficulty of an exploit, then why is a Linux kernel exploit half the price of a Windows kernel exploit?

Re: Submitter missed one of the bounties

IIS usage is pretty rare.

Re:Submitter missed one of the bounties

It is not. Apache exploits are common.

MS donated more money for Windows exploits, derp

Big Money Prizes

[PopeRatzo]

As you all know, first prize is a Cadillac El Dorado. Anybody want to see second prize? Second prize is a set of steak knives. Third prize is you're in prison.

And by the way, all of you now work for the government, comrades.

It's about time!

[Gravis+Zero]

Having a competition to attack Windows and OSX is fine and all but it's not helpful to anyone trying to run a secure system. I'm looking forward to any number of Linux kernel exploits because it's running on most servers... and my desktop. :)

Loons like you are why I wrote this

APK Hosts File Engine 9.0++ SR-5 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads & malware rob speed, security & privacy

Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/

Re:Loons like you are why I wrote this

Could you stop sperging your bullshit?

Host files is such a manual and clumsy way to block things. It was cutting edge in 1993!

Can kind of see security by price...

[cant_get_a_good_nick]

Chrome and Edge the hardest, safari a bit less secure, Firefox at the bottom. at least they're in the competition - they used to be so insecure as to not worth being in the competition

Re:Can kind of see security by price...

It's more that Firefox isn't pre-bundled with any devices, and so isn't widely used. By contrast every Win10 machine had Edge, pretty much every Android has Chrome, and every OSX/iOS device has Safari. Of course they're going to be worth more to hack.

Re: Loons like you are why I wrote this

Do you have a better way to block sites? A browser add on is not better by the way.
I block sites on my router with unbound, if I wasn't using my homemade router then I'd just use the hosts file.
Please explain the better way you use.

Why these numbers?

[garote]

Why is the Safari bounty higher than the Firefox bounty, even though more people are on Firefox? More backing from Apple? More easily exploited target userbase?

Re:Why these numbers?

because firefox is a security mess so far less effort required to win the prize. I am surprised the bounty is as high as it is given how bad the security in it is.

Re:Why these numbers?

Because why would it be worth more to find an exploit for Firefox, when it's not pre-bundled on any device (anymore, since nobody wanted FirefoxOS), while Safari comes forcibly bundled on all OSX and iOS iPhones (including third-party browsers, which have to use Safari's engine as their own)? The same thing applies for Edge and Chrome.

Re:Why these numbers?

Well that sure explains why there are so many hacked Firefox installations out there, doesn't it? And of course, it doesn't matter how quickly and effectively they close holes, just that you feel they're theoretically more hackable despite nobody actually taking advantage of it, apparently.

Re:Why these numbers?

WTF? have you been living in a hole, firefox exploits are rampant. It is one of the biggest things I am constantly cleaning up in my support role. The list of firefox exploits for 2016 was multiple pages long and many of them critical and requiring no more interaction than browsing a site.

No asshole - I won't... apk

See subject: MAKE ME (& I see I ran you DRY of your "downmodpoints" too - hence your unidentifiable ac post)

APK

P.S.=> You little pussy motherfucker... apk

Re:No asshole - I won't... apk

You little pussy motherfucker

Dude, sort out your tourette's.

Re:No asshole - I won't... apk

Keep on sperging...

You are stupid and pathetic.

Firefox is back! And windows exploit more $$$?

[tlhIngan]

Well, the good news is that Firefox is back! It was banned a few years because it was considered so insecure that there was no challenge in finding a new exploit.

Though, $30,000 for a Windows kernel elevation exploit? It seems like a lot of money, especially since macOS gets you $20,000 and Linux a measly $15,000.

Re:Firefox is back! And windows exploit more $$$?

[Gumbercules!!]

Windows kernel exploits are worth more because they're worth more on the open market (because that's where the corporate data is and corporations pay ransoms). pwn2own has to compete with the black market, after all. If you discover have a Windows exploit - you can sell it for a lot of money if you sell it exclusively. Not so much an OSX and even less a Linux desktop exploit. So market forces dictate that, if you want people to actually turn up to pwn2own and show you their exploits, you need to make it attractive, not just to pure whitehats but to greyhats, too. If they can get $50,000 or something from "some guy in Russia" you can't very well offer $5,000 and hope they tell you out of the goodness of their hearts.

Re:Firefox is back! And windows exploit more $$$?

Browser vulnerabilities are more vanuable because they protect more people. Generally speaking, gaining shell access on a server means game over already. The privilege escalation is just icing on the cake. So I actually agree that these escalations are reasonable bounties. Remember, those aren't just "any bug in Linux," they are specifically privilege-escalation bugs.

Re:Firefox is back! And windows exploit more $$$?

[wvmarle]

That wouldn't explain why Edge has so high a price on its exploits, as it's one of the smaller browsers nowadays.

Re:Firefox is back! And windows exploit more $$$?

[Gumbercules!!]

Possibly - but there's likely a similar set of drivers. a) Microsoft is paying for the bounties. b) Again, criminals know if they can break Edge, they will get a sizeable number home users now and more in the future and c) (some) corporations are more likely to use Edge than Chrome, especially as more move to Windows 10.

Re:Firefox is back! And windows exploit more $$$?

Edge is also pre-bundled on every Windows 10 system; Firefox isn't. Edge is also rather pushy by comparison, using ads built into Win10 to pressure people into using it, and being necessary to use some things like Cortana. As Win10 usage grows, so will Edge's use (and thus hacks are far more valuable). Why would a Firefox exploit be worth as much in the face of that?

Re:Firefox is back! And windows exploit more $$$?

It was only "banned" from last year's event, if by "banned" they didn't pay for exploits. I'm not sure why you chose that word, to be honest.

Re:Firefox is back! And windows exploit more $$$?

[benjymouse]

Windows kernel exploits are worth more because they're worth more on the open market (because that's where the corporate data is and corporations pay ransoms). pwn2own has to compete with the black market, after all.

Wrong. All of these prizes are far below what a zero-day exploit is worth on the black market. This contest is not a way to overbid the black market; rather it is a way for white-hats to showcase their skills and bring attention to vulnerabilities.

The prizes a set to reflect the expected difficulty; the hardest target - the ones that involves the most work - pays most. Virtual machine escapes are considered really hard because of the very limited attack surface.

Windows 10 is considerably harder to crack than Linux and OS/X. The latter 2 still have *far* to many services running as root and still exposes a lot of SUID root executables. Windows 10 has also adopted many of the EMET anti-exploit techniques. You'd have to harden Linux with grsecurity to achieve the same level.

Why don't you prove this wrong instead?

What hosts do addons can't (or as well):

PROTECT vs.:

1.) bad sites (past ads)
2.) fastflux C&C
3.) dynDNS C&C
4.) DGA C&C
5.) DNS down
6.) poisoned dns
7.) trackers (dnsrequestlogs/ads/transparent ISP proxy)
8.) spam/phish payload
9.) dns blocks
10.) slowdown 2 ways: adblocks & hardcodes

11.) Multiplatform
12.) Ez data edit
13.) Efficiency (cpu/ram/I-O)

14.) UBlock no DNS bennys = poor imitation = "sincerest form of flattery"
15.) NoScript tag parses. Hosts block adservers before it cheaper

APK

P.S.=> AB+ 151mb http://cdn.ghacks.net/wp-content/uploads/2014/06/adblocker-memory-consumption.jpg/

UBlock 64MB http://cdn.ghacks.net/wp-content/uploads/2014/06/adblocker-memory-consumption.jpg/

(hosts ~6mb)

ClarityRay defeatable

Don't work http://www.businessinsider.com/google-microsoft-amazon-taboola-pay-adblock-plus-to-stop-blocking-their-ads-2015-2/

SLOWER: http://superuser.com/questions/686041/which-leads-to-faster-browsing-an-ad-blocker-or-an-edited-hosts-file/

Re:Why don't you prove this wrong instead?

See a therapist. You have serious mental illness.

Re:Why don't you prove this wrong instead?

hosts files can't dynamically block sites numbnuts.

Turn down your assburgers

Re:Why don't you prove this wrong instead?

He doesn't even have ass burgers since it was always a bullshit condition that has been removed.

He is simply fucktarded

Stuff your advice up your ass "Forrest"

See my subject: As you "Run, Forrest: RUN!!!" from a fair challenge I put to trolls like you https://it.slashdot.org/comments.pl?sid=10146371&cid=53715879/ & "your kind" RUNS, every single time, lol...

APK

P.S.=> If all you can do is harass others online? Take your own poor advice, freak... apk