Skip to main content

Exchange, Teams, Zoom, Hacked at Pwn2Own 2021

by Chris Brook on Thursday April 8, 2021

Contact Us
Free Demo

The annual hacking competition will see 23 attempts against operating systems, virtualization software, and browsers.

Browsers including Google Chrome, Microsoft Edge, and Apple Safari, along with Microsoft Teams, Windows 10, Exchange, Zoom, and Ubuntu Desktop all fell this week as hackers took aim at Pwn2Own, the annual hacking competition put on by Trend Micro's Zero Day Initiative.

After two days, hackers have earned $1.06 million of the roughly $1.5 million prize pool for Pwn2Own 2021.

While Pwn2Own is usually held alongside CanSecWest in Vancouver, because of the COVID-19 pandemic, this year's is being held remotely; contestants are submitting exploits remotely and ZDI staff in Toronto and Austin, Texas, are running them.

New this year - because of the increased usage of collaboration platforms like Zoom, Slack, and Microsoft Teams - is the competition's Enterprise Communications category. Two platforms in the category were successfully hacked, Zoom and Microsoft Teams.

Daan Keuper and Thijs Alkemade from Computest, a Danish IT firm, used three bugs to get code execution on Zoom Messenger. A researcher that goes by the name of OV took down Teams by using two bugs. Both exploits earned the contestants $200,000.

The exploit against Zoom sounds as if it was especially thrilling, coming with just 10 seconds left of the pair’s second attempt, occurring all without the target clicking anything.

As far as the other bugs go, on day one, a group of contestants going under the guise of Devcore paired an authentication bypass and a local privilege escalation to takeover an Exchange server. Windows 10 and Ubuntu Desktop also fell on day one.

On day two, Bruno Keith & Niklas Baumstark of Dataflow Security used a Typer Mismatch bug to exploit the Chrome renderer and Microsoft Edge. The team earned $100,000. Other successes from day two include Parallels Desktop in the virtualization category, Chrome and Edge, and Ubuntu Desktop again.

As is usually par for the course with Pwn2Own week, many of these vulnerabilities should be patched in short order, either with an out of band patch or the next regularly scheduled round of updates. While vendors have 90 days to produce fixes for the vulnerabilities reported, some roll out patches much quicker. Mozilla engineers patched a Firefox vulnerability in less than a day a few years ago.

While the details of the Exchange bug aren’t fully known - other than that it combined an authentication bypass and a local privilege escalation - the fact that it even surfaced adds fuel to the proverbial Exchange fire from the last month.

Adminstrators have had their hands full over the last month plus scrambling to patch four zero day vulnerabilities in Microsoft Exchange Server that were being used in active attacks against enterprises by a state-sponsored hacking group, Hafnium. Microsoft said in late March that Microsoft earlier this week said that 92% of vulnerable Exchange servers had been patched or had mitigations applied.

One of the largest hacking competitions, Pwn2Own concludes Thursday with another attempt against Exchange, Parallels Desktop, Windows 10, and Ubuntu Desktop.

Tags:  Vulnerabilities

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.