Zoom, Safari, Windows, Ubuntu, MS Exchange, and Other are Hacked at Pwn20wn 2021!

Zoom, Safari, Windows, Ubuntu, MS Exchange, and Other are Hacked at Pwn20wn 2021!

On April 8 the spring edition of the Pwn20wn hacking contest is executed with and resulted in a three-way tie between Team Devcore, Computest Researchers Daan Keuper, OV, and Thijs Alkemade.

Meanwhile $1.2 million was awarded to the high-profile exploits that are throughout the three-day virtual event that was organized by the Zero Day Initiative (ZDI).

Zoom, Safari, Windows, Ubuntu, MS Exchange, and Other are Hacked at Pwn20wn 2021!

However, the Targets are successfully attempted that deals with Zoom, Apple Safari, Microsoft Exchange, Windows 10, Ubuntu Desktop operating system, Microsoft Teams, and Parallels Desktop.

In the contest the major highlights are described as follows;

  • The participates use authentication that overlaps and get the local privilege escalation while completing the take over through the Microsoft Exchange Server that comes when the Devcore team gets the sum of $200,000.
  • A zero-click exploit that targets the Zoom that employed the three-bug chain that exploits the messenger application and gets the access code execution on the targeted systems.
  • Chaining the pair of bugs to get the code execution in Microsoft Teams earns the researcher around $200,000.
  • The exploit aimed at Chrome renderer to get the Google Chrome and Microsoft Edge (Chromium) browsers $100,000.
  • Leveraging the use-after-free, race condition, and the integer overflow the bug that in Windows 10 to escalate from the ordinary SYSTEM that gives $40,000 each.
  • Combining the three flaws that deal with an uninitialized memory leak, a stack overflow bug, and integer overflow that escape parallels desktop that execute the code on the underlying operating system.
  • Exploiting a memory corruption bug to successfully execute the code on the host that operates the system from the Parallels Desktop.
  • The exploitation of out-of-bounds access bug that elevates the standard user to root the Ubuntu Desktop

The Zoom vulnerabilities that exploit the Daan Keuper and Alkemand of Computest Security that particularly noteworthy and the flaws also require no interaction with the victim and the other participant over the Zoom call. Both the Windows and Mac versions of the applications and it is not clear that if the Android and iOS versions are also infected or not.

While the Technical Details of flaws are still unclear that the Zoom has 90-day and windows have to address the issues before they were leaking publicly. The experts also notified the organizations for the same.

Whereas, the law firm states that the participants can take the system access and execute the commands that include turning on the microphone, reading emails, checking screen settings, accessing the camera, and viewing the downloading and browsing history.

The security researchers also said that Alisa Esage will become the first women who will win the Pwn20wn after finding the bug in virtualization software than Parallels.

However, Esage tweeted that; I can only state that my successful Pwn20wn participation attracted and very arguable and potentially outdated points while contest rules. In the real world, there are no such things that are arguable to the point.

Leave a Reply