Starting in 2007, Pwn2Own has grown from a small, browser-focused event to become one of the most well-known security contests in the industry. Back then, a successful exploit earned a MacBook and $10,000 for the winner. This past year, the ZDI awarded over $2.5 million dollars at Pwn2Own competitions around the world (plus a whole bunch of hardware). 2022 marks the 15th anniversary of the contest, and we’ve set out to make it the best competition ever.
To start, we’ll return in person to the Sheraton Wall Center in Vancouver for the CanSecWest conference on May 18-20, 2022. We’ll still allow remote participation in this hybrid event. If you have either travel restrictions or travel safety concerns, you can opt to compete remotely. You will still need to register before the contest registration deadline (May 12, 2022) and submit a detailed whitepaper completely explaining your exploit chain and instructions on how to run the entry. A member of the ZDI staff in Vancouver will run your exploit for you.
Next, Tesla returns as a partner, but driving off with a new car will be more of a challenge this year. We’ll have both a Tesla Model 3 and a Tesla Model S available as targets. Of course, with a greater challenge comes a greater reward, with the top prize going for $600,000 (plus the car itself). Other partners this year include Zoom and Microsoft. In last year’s event, Zoom and Teams exploits were highlights, and both return as targets in the Enterprise Communications category. Of course, virtualization exploits are always a contest highlight, and VMware returns as a sponsor with VMware Workstation and ESXi returning as targets.
In addition to the in-person attempts at the conference, we’ll be live-streaming select attempts on Twitch, YouTube, and more. Contestants will be able to participate in almost all categories remotely, but we hope many will join us in Vancouver to demonstrate their exploits. All told, more than $1,000,000 USD in cash and prizes are available to contestants, including the Tesla Model 3, in the following categories:
-- Virtualization Category
-- Web Browser Category
-- Enterprise Applications Category
-- Server Category
-- Local Escalation of Privilege Category
-- Enterprise Communications Category
-- Automotive Category
Of course, no Pwn2Own competition would not be complete without us crowning a Master of Pwn. Since the order of the contest is decided by a random draw, contestants with an unlucky draw could still demonstrate fantastic research but receive less money since subsequent rounds go down in value. However, the points awarded for each successful entry do not go down. Someone could have a bad draw and still accumulate the most points. The person or team with the most points at the end of the contest will be crowned Master of Pwn, receive 65,000 ZDI reward points (instant Platinum status), a killer trophy, and a pretty snazzy jacket to boot.
Let's take a look at the details of the rules for this year's contest.
Virtualization Category
We’re happy to have VMware returning as a Pwn2Own sponsor for 2022, and this year, again we’ll have VMware ESXi alongside VMware Workstation as a target with awards of $150,000 and $75,000 respectively. VMware has been a sponsor of Pwn2Own for several years, and we’ve seen some great research presented at the contest in years past. Microsoft also returns as a target for 2022 and leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. Oracle VirtualBox rounds out this category with a prize of $40,000. We’ve seen some amazing guest-to-host OS escalations demonstrated at previous Pwn2Own contests. Here’s hoping we see more this year.
There’s an add-on bonus in this category as well. If a contestant can escape the guest OS, then escalate privileges on the host OS through a Windows kernel vulnerability (excluding VMware ESXi), they can earn an additional $50,000 and 5 more Master of Pwn points. That could push the payout on a Hyper-V bug to $300,000. Here’s a detailed look at the targets and available payouts in the Virtualization category:
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/b4578266-7e6d-4955-afc1-b15894290e6d/Virtualization.png?format=1000w" />
Web Browser Category
While browsers are the “traditional” Pwn2Own target, we’re continuously tweaking the targets in this category to ensure they remain relevant. For this year’s event, a successful demonstration no longer requires a sandbox escape. Renderer-only exploits will earn $50,000, but if you have that Windows kernel privilege escalation or sandbox escape, that will earn you up to $100,000 or $150,000 respectively. If your exploit works on both Chrome and Edge, it will qualify for the “Double Tap” add-on of $25,000. The Windows-based targets will be running in a VMware Workstation virtual machine. Consequently, all browsers (except Safari) are eligible for a VMware escape add-on. If a contestant can compromise the browser in such a way that also executes code on the host operating system by escaping the VMware Workstation virtual machine, they will earn themselves an additional $75,000 and 8 more Master of Pwn points. Full exploits are still required for Apple Safari and Mozilla Firefox. Here’s a detailed look at the targets and available payouts:
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/55e2511f-b2cf-4466-87eb-ea0661c4d21a/Browsers-2.png?format=1000w" />
Enterprise Applications Category
Enterprise applications also return as targets with Adobe Reader and various Office components on the target list once again. Prizes in this category run from $50,000 for a Reader exploit with a sandbox escape or a Reader exploit with a Windows kernel privilege escalation and $100,000 for an Office 365 application. Word, Excel, and PowerPoint are all valid targets. Microsoft Office-based targets will have Protected View enabled. Adobe Reader will have Protected Mode enabled. Here’s a detailed view of the targets and payouts in the Enterprise Application category:
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/040d7f6e-e266-416e-8ca4-af8e8cbe36a8/EnterpriseApps.png?format=1000w" />
Server Category
Last year, we expanded the Server category by adding Microsoft Exchange and SharePoint. Consequently, we saw some amazing Exchange exploits demonstrated – including ProxyShell. Both targets return for this year’s contest with SharePoint garnering a larger payout. We’ve also added Samba to this year’s event, and we’re excited to see what research may be demonstrated. This category is rounded out by Microsoft Windows RDP/RDS, which also has a payout of $200,000. Here’s a detailed look at the targets and payouts in the Server category:
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/08a8965e-d2e1-4152-8439-e9399d16d188/Servers-2.png?format=1000w" />
Local Escalation of Privilege Category
This category is a classic for Pwn2Own and focuses on attacks that originate from a standard user and result in executing code as a high-privileged user. A successful entry in this category must leverage a kernel vulnerability to escalate privileges. Ubuntu Desktop and Microsoft Windows 11 are the two OSes available as targets in this category.
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/946e56bd-027f-4f74-8e8e-7e4d112675c0/EoP.png?format=1000w" />
Enterprise Communications Category
We introduced this category last year to reflect the importance of these tools in our modern, remote workforce, and we were thrilled to see both targets compromised during the contest. We’re also excited to have Zoom return as a partner for this year’s Pwn2Own event. A successful attempt in this category must compromise the target application by communicating with the contestant. Example communication requests could be audio calls, video conferences, or messages. Both Zoom and Microsoft Teams have a $150,000 award available, so we’re hoping to see more great research in this category.
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/87674ad7-4000-48c0-9882-58212903d793/EnterpriseComms.png?format=1000w" />
Automotive Category
We introduced the Automotive category in 2019, and we are excited to have Tesla return as a partner for 2022. We awarded a Tesla Model 3 in that first contest, but we wanted to raise the level of complexity for this year’s event. Tesla vehicles are equipped with multiple layers of security, and for this year’s event, there are three different tiers of awards within the Automotive category that corresponds to some of the different layers of security within a Tesla car, with additional prize options available in certain instances. Contestants can register an entry against either a Tesla Model 3 (Intel or Ryzen-based) or the Tesla Model S (Ryzen-based).
Tier 1 earns the top prizes and represents a complete vehicle compromise. Correspondingly, this also has the highest award amounts. To win this level, a contestant will need to pivot through multiple systems in the car, meaning they will need a complex exploit chain to get arbitrary code execution on three different sub-systems in the vehicle. Success here gets a big payout and, of course, a brand-new Tesla.
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/783b5822-ea70-4a01-ab21-1f8c6507957a/Tesla_Tier1.png?format=1000w" />
In addition to the vehicle itself and $500,000, contestants can go for the additional options to raise the payout to $600,000. This represents the single largest target in Pwn2Own history. If someone can do this, it would also mean 60 total Master of Pwn points, which is nearly insurmountable. Here’s some additional info on the optional add-ons that are included in the various tier levels.
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/8fe8dbaa-1860-4904-b8a7-4256e4c47a14/Tesla_AddOn-2.png?format=1000w" />
Again, it’s difficult to express the complexity of completing such a demonstration, but we’re certainly hopeful that someone can show off their exploit skills and drive off a winner.
The second tier in this category is not quite as complex but still requires the attacker to pivot through some of the vehicle’s sub-systems. This level requires the contestant to get arbitrary code execution on two different sub-systems in the vehicle, which is certainly a difficult challenge. If you include the optional targets, the largest single payout for Tier 2 would be $400,000. A winning entry in Tier 2 would still be an impressive and exciting demonstration and includes driving off with the Tesla. Tier 2 also includes some of the above add-ons, as detailed below:
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/af365911-89a4-47d3-93f5-8357d624a86b/Tesla_Tier2.png?format=1000w" />
The targets in Tier 3 could prove to be just as difficult, but you only need to compromise one sub-system for a win here, which is still no easy task. Not every instance within Tier 3 includes winning the car. This year also introduces the Diagnostic Ethernet as a vector of attack. Some of the Tier 3 targets have add-ons available, but to drive away with a Tier 3 prize, a contestant would need to target one of the entries marked “Vehicle Included” in the table below:
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/07e8a2f0-c172-4b56-b975-2596c82d5b13/Tesla_Tier3-2.png?format=1000w" />
Conclusion
The complete rules for Pwn2Own 2022 are found here. As always, we encourage entrants to read the rules thoroughly if they choose to participate. If you are thinking about participating but have a specific configuration or rule-related questions, email us. Questions asked over Twitter or other means will not be answered. Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. Registration closes at 5 p.m. Pacific Time on May 12, 2022.
Be sure to stay tuned to this blog and follow us on Twitter for the latest information and updates about the contest. We look forward to seeing everyone wherever they may be, and we hope someone has a sweet ride home from this year’s Pwn2Own competition.
With special thanks to our Pwn2Own 2022 Partners Tesla, Zoom, and Microsoft.
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/5ea1abef-eb89-4431-b5dc-88de27042f22/Zoom+-+Blue.png?format=1000w" />
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/e908aa0e-a728-48e8-b5df-ce04bbd078e7/Microsoft-Logo-700x394.png?format=1000w" />
Thanks also to our Pwn2Own 2022 Sponsor
<img alt="" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/3448f998-4a81-4343-b994-ada8f32a6611/1000px-Vmware.svg.png?format=1000w" />
Article Link: Zero Day Initiative — Pwn2Own Vancouver Returns for the 15th Anniversary of the Contest