Security Research
Showing results for 
Search instead for 
Do you mean 

Pwn2Own 2015: Day One results

Dustin_Childs ‎03-18-2015 11:10 PM - edited ‎03-19-2015 03:00 PM

The first day of Pwn2Own 2015 saw successful attempts by four entrants against four products, with payouts of $317,500 to researchers during today’s competition.


Here are the highlights of the day’s proceedings.


The contest began hard and fast with Team509 and KeenTeam exploiting Adobe Flash. The team of Zeguang Zhao (Team509), Peter, Jihui Lu, and wushi (KeenTeam) used a heap overflow remote code execution vulnerability in Flash, then leveraged a local privilege escalation in the Windows kernel through TrueType fonts, bypassing all defensive measures. They were awarded $60,000 USD for the Flash bug and a bonus of $25,000 for the SYSTEM escalation.


Nicolas Joly followed with his own exploit of Flash. He used a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker. He was awarded $30,000 for his efforts. While an excellent bug, the payout ended up lower due to the random drawing – only the first successful entrant in each category is awarded the full payout.


Nicolas continued his exploitation domination by taking down Adobe Reader through a stack buffer overflow – once for an info leak and again for remote code execution. He then leveraged an integer overflow to exploit the broker, netting him a cool $60,000 USD. For the day, that brings his total payout to $90,000 USD. Not bad for writing the final part of the exploit chain on the flight to the conference (according to him).


From there, Peter, Jihui Lu, Wen Xu, wushi (KeenTeam), and Jun Mao (Tencent PCMgr) continued rollin’ in the heap by taking down Adobe Reader with an integer overflow and achieved pool corruption through a different TTF bug. This got them SYSTEM access and a total of $55,000 USD - $30,000 for the Reader bug and another $25,000 bonus for the SYSTEM escalation. Their one-day total stands at a nifty $130,000.


Mariusz Mlynski stepped up to Mozilla Firefox and knocked it out of the park through a cross-origin vulnerability followed by privilege escalation within the browser – all within .542 seconds. This allowed him to execute a logical flaw to escalate to SYSTEM in Windows and take home $30,000 USD for the Firefox bug and an additional $25,000 bonus for the privilege escalation.


Wrapping up day one, a new entrant this year, 360Vulcan Team was able to exploit 64-bit Microsoft Internet Explorer 11 with an uninitialized memory vulnerability netting them medium-integrity code execution and $32,500 USD.


That’s quite a first day for all involved. It’s hard to “calc.exe” all the winnings (sorry, pwner pun), but after Day One, the affected product vulnerability count stands at:

  • 3 bugs in Adobe Reader
  • 3 bugs in Adobe Flash
  • 3 bugs in the Windows operating system
  • 2 bugs in Internet Explorer 11
  • 2 bugs in Mozilla Firefox
  • $317,500 USD bounty paid out to researchers

Congratulations to all of today’s champions. We’ll pick up things again tomorrow with Apple Safari, Google Chrome, and Internet Explorer all being targeted by various entrants. As we did today, the proceedings will begin at 10am PDT. Good luck to our Day Two participants and again, thanks to our co-sponsors at Google Project Zero.

0 Kudos
About the Author


I am a senior security content developer with Hewlett Packard Enterprise Security Research. In this role, I write and edit security analysis and supporting content from researchers. I am also responsible for providing insight into the threat landscape; competitive intelligence to the research team; and providing guidance on the social media roadmap. Part of my role includes speaking publicly and promoting the research and technology of HPE Enterprise Security Products .

27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all