Pwn2Own Tokyo 2019 victimize Sony, Samsung and Amazon devices

Contestants
at the Pwn2Own Tokyo 2019 took down an impressive number of high-profile
products during the competition’s first two days, including a Sony smartTV, Netgear
router and an Amazon Echo Show 5.

The two-day
event paid contestants a total of $315,000 with Team Fluoroacetate, Amat Cama
and Richard Zhu, being named Masters of PWN.

Day One,
November 6, saw more than $195,000 awarded for 12 bugs that were found. Overall,
those participants had nine successful attempts against seven targets in five
categories, several of which were new for 2019.

The first
day was dominated by the eventual event winners Team Fluoroacetate. Team members
took on and dominated two SmartTVs, a home assistant, and a Xiaomi Mi9 and Samsung Galaxy S10 smartphones. This was the first hack
of a television in Pwn2Own history. T

The duo was
quickly able to get a bind shell due to a JavaScript out-of-bounds (OOB) Read
in the embedded web browser earning themselves $15,000. They also attacked a
Samsung Q60 TV, failing on their first attempt failed, but then used an integer
overflow in JavaScript to get a reverse shell from the television. The
successful demonstration earned the team another $20,000 and 2 Master of Pwn
points.

Fluoroacetate
scored again in the new home automation category and went after an Amazon Echo
Show 5 using an integer overflow in JavaScript to compromise the device and
take control. This exploit earned them $60,000 and 6 Master of Pwn points.

Team F- Secure
Labs, Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro, also went
up against the Xiaomi Mi9 handset in the Web Browser category where it had
partial success using a couple of chained logic bugs.

Their final
target was a Samsung Galaxy S10 going in through the NFC component. They used a
bug in JavaScript JIT followed by a Use After Free (UAF) to escape the sandbox
and grab a picture off the phone earning $30,000.

Newcomers to
the field Team Flashback, Pedro Ribeiro and Radek Domanski, targeted the LAN interface of the
NETGEAR Nighthawk Smart Wi-Fi Router (R6700), the router category also being
new this year. They successfully used a stack-based buffer overflow to get a
shell on the router which was worth $5,000.

Their next
target was a TP-Link AC1750 Smart Wi-Fi router. Here they used a total of three
different bugs to inject their code on the device.

Fluoroacetate
was back in the news again on Day 2 again targeting a Samsung S10, but this
time using a rogue base station used a stack overflow to push their file onto
the target handset. The successful demonstration earned them $50,000 and 5
Master of Pwn points. They again targeted the S10 employing a an integer
overflow along with a UAF for the sandbox escape to exfiltrate a picture off
the phone.

The TP-Link
AC1750 Smart Wi-Fi router was again in Team Flashback’s sites. This time the exploit
chosen used a stack overflow combined with a logic bug to gain code execution
on the device. This earned them $20,000 and one more point towards Master of
Pwn.

F-Secure Labs
also took on the TP-Link AC1750 combining a comment injection bug with some
insecure defaults to gain code execution on the device gaining $20,000. And
seemingly for fun this team also punished Xiaomi Mi9 using a crafted NFC tag to
trigger an XSS bug allowing them to send a photo from that phone to another. Doing
so earned the team another $30,000.

Comments are closed.