Behind the Scenes of Pwn2Own Toronto 2022

Last week, we completed our largest Pwn2Own contest ever. We saw 66 entries over four days and witnessed some amazing research resulting in $989,750 USD for 63 unique 0-days. However, leading up to the event was anything but smooth sailing on calm seas. Here’s the wrap video summarizing the event:

When we published the rules, we anticipated quite a bit of interest in both the routers and the SOHO Smashup targets. What we didn’t expect was 85 entries overall. To put some perspective on that number, in 2017, we had 13 total entries in what was (at the time) our largest event ever. We’ve had some growth.

While we were struggling to find a way to run that many attempts in three days, the first of several patches appeared. Most notably, NETGEAR released a fix specifically targeting bugs that were scheduled to be demonstrated during the contest. TP-Link and Sonos also released updates. As a consequence, many contestants withdrew their entries. Our inbox was flooded with questions about various updates and configuration details. At one point, we were down to just over 50 entries. One of our goals with Pwn2Own is to incentivize companies to improve the security of their devices and services, so it’s great to see improvements happen – whether they are a direct result of Pwn2Own entries or pre-emptive patches that stop Pwn2Own entries. It also highlights the skill and ingenuity of the researchers participating in the contest as many had quickly bypassed the patch and re-submitted entries. By the time we started the contest, we had ramped back up to 66 entries scheduled for four days.

Targets awaiting configuration

Many don’t realize that each attempt needs at least two hours scheduled. The most obvious 30 minutes are the attempt itself. Before the attempt, we need time to set up the test environment. Sometimes that’s as simple as connecting a printer to a switch and giving it an IP address. Other times, it can be quite complex depending on the target. We need time after the attempt, too. The contestants provide ZDI analysts with the details of the bugs they used in their exploit. Pwn2Own is a true 0-day contest, which means it doesn’t qualify for the full award if we already know about the bug. In the past, we’ve seen contestants submit bugs to us and the vendors prior to the event in an attempt to kill their competitor’s bugs. Sometimes it works. Finally, we bring the vendors in to disclose the bugs to them as well. They are allowed to ask questions directly to the researchers about their entry. “How did you find this?” is a popular one. This is another great resource Pwn2Own provides – a bridge between a global network of independent researchers and vendors creating the services and products we all rely on.

All eyes on the primary stage

Now that we have identified the targets, published the rules, applied the patches, held the drawing, and made the schedule (whew!), we are now ready to run an attempt. A ZDI analyst, sometimes “a gruff-looking bald man with a goatee,” will ask if you are ready, and the countdown begins. Now we find out if your hours and hours of research will work as intended or if something goes awry. Most often, the exploit succeeds and everyone claps. Visually, there’s not a lot to see. We can’t show the screens because we’re dealing with unpatched bugs. We don’t want them unintentionally exposed. Sometimes it fails. Contestants have the opportunity to make changes to their exploit, confirm configurations, ask questions, and try again. Sometimes they triumph on a subsequent attempt, which happened multiple times in this contest. For those interested, here’s a list of the bug types used during the event:

Once the contest is complete, our work continues as we coordinate the release of the patches with the vendors, develop protection rules for the various Trend Micro products we support, and work on paying the winners. While it really is a mountain’s worth of effort, Pwn2Own is one of the highlights of our year. And there’s always another one coming up. Just days before the Toronto event occurred, we announced the rules and targets for our Miami contest, which happens in February.

Disclosing bugs after a successful attempt

I’ve literally lost count of how many Pwn2Owns I have participated in. Each one has its own unique story. Each one leaves us a different sort of exhausted. Each one shows us something we’ve never seen before. And that’s why we’ll keep doing them as long as the powers that be allow us to do so. We hope to see you at one someday soon.

The Master of Pwn trophy all lit up

   Blog post Zero Day Initiative – Blog 

More To Explore

Lenovo Diagnostics Driver Memory Access

This Metasploit module demonstrates how an incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to issue device IOCTLs to

We can help improve your Business

Ensure your Organization Assets are well  protected in front of the Cyber Attacks

Delivery Workflow

Register for Free and get your test done withn 24 to 48 hours

See Workflow

Sample Report

Here is a sample report of a Security Testing Engagement

See Sample Report PDF

Work Request

Order your security test and Get Your Report

Get Your Test Report
Generated by Feedzy

1. Client Onboarding

Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.

2. NDA , Agreements & Digital Signature

The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.

3. Submit Work Request

Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.

The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.

4. Security Testing & Report

We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.

Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.

5. Retesting & Validation of Remediation

We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.