Hackers won $317,500 on day one of Pwn2Own 2015

Hackers have been awarded a total of $317,500 USD, for finding three bugs in Adobe Flash, three bugs in Adobe Reader, three bugs in the Windows operating system, two bugs in Internet Explorer, and two bugs in Mozilla Firefox, on the first day of Pwn2Own 2015, sponsored by HP’s Zero Day Initiative (ZDI) and Google’s Project Zero at the CanSecWest security conference in Vancouver, Canada.

Peter, Jihui Lu, and Zeguang Zhao of Team509, and wushi of KeenTeam were awarded $60,000 for exploiting flash by a heap overflow remote code execution vulnerability, and won additional of $25,000 for achieving system-level code execution by leveraging a local privilege escalation in the Windows kernel through TrueType fonts.

Nicolas Joly used a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker, and won $30,000.

Nicolas won another $60,000 for his exploitation of Adobe Reader through a stack buffer overflow, which lead to info leak and remote code execution.

Peter, Jihui Lu, Wen Xu, wushi (KeenTeam), and Jun Mao (Tencent PCMgr) earned $30,000 for targeting Adobe Reader with an integer overflow and achieved pool corruption through a different TTF bug, and $25,000 bonus for the SYSTEM escalation.

Mariusz Mlynski knocked out Mozilla Firefox through a cross-origin vulnerability, and execute a logical flaw to escalate to SYSTEM in Windows. Awarded $30,000 USD for the Firefox bug and an additional $25,000 bonus for the privilege escalation. 360VulcanTeam won $32,500 USD for exploiting 64-bit Microsoft Internet Explorer 11 for medium-integrity code through an uninitialized memory vulnerability.