The World's Hardest Hacking Competition - Pwn2Own Documentary (Part 1)

I witnessed the exchange of a critical zero-day exploit and then followed the journey of how the vulnerability was analyzed and ultimately patched. In this video, I will tell you this story. We have an outstanding show. We treat this sort of, I call it the fire drill. Well, the wish is that they fail. This goes back quite far. So we have to figure out if we can actually do that. But we can't talk about browsers without talking about, of course, Manfred Paul. It's usually two completely different worlds because there's so much optimization happening. Yes, there you go. They said it's not just about finding the exploit, also making it reliable. We're in the taxi now and we are going to the Mozilla office. They said they only started looking at Firefox two weeks ago. That doesn't get a lot of recognition. Followers of my channel know that I played a lot of capture-the-flag hacking competitions. These competitions work by somebody creating intentionally vulnerable software, and then the players try to find the vulnerability and exploit it. Now, Pwn2Own is a different kind of hacking competition. The original idea was that if you pwn or hack a real device, you own it pwn to own. So it's about hacking real devices, real software, and of course with the latest updates. I want to emphasize this again: the vulnerabilities used in this competition, they are zero-days. So yes, Pwn2Own is a competition, but it's a very prestigious competition. It's serious. We are dealing with real issues that could cause real harm. And that's why it's so special to me that I got exclusive access. So let me tell you how. This USB stick was just sold for $50,000. What could be that valuable? It's not a crypto wallet, no stolen data, and no state secrets. Just a few lines of code. Beautiful, but dangerous code. A zero-day exploit. In a back room of a hotel in Berlin, the trade went down. They are the ones who bought it. sold it. And they will make it worthless within hours. This is the story of two Firefox zero-days, the world's most prestigious hacking competition, and what it takes to keep millions of users safe. This is Freddy. I'm managing application security for Firefox and yeah, looking forward to Pwn2Own. He told me Pwn2Own is coming to Berlin and Firefox is a target. Do you want to follow us with the camera and document the process? So, well, here I am. This is Christian from Mozilla, also online known as Decoder. I'm Christian Holler, or Decoder. I'm a principal engineer working mostly on security as well, and also looking forward to Pwn2Own. How does it look on the vendor side? What does Pwn2Own mean to Mozilla? For us, it's a controlled situation. It's a good general exercise for us, but we can prepare. So people don't have to be that stressed out as if you would have a real zero-day. But we can still practice the zero-day case, and we use it as practice for courses. Yeah. Even though no real users are harmed, right? There's no real attack in the wild. We treat this sort of I call it the fire drill. We see what would it look like if it was. I would also add, due to the fact that it's recurring like we know it's happening every year what's happening at Pwn2Own, every security bug drives our internal security agenda. What we see there, we're trying to prepare against. We're trying to harden more. We're trying to look at the types of bugs that we're getting. And then since we know in the year this will happen again, we can sort of see a bit of the result. Is it still being done this way? Have the attackers changed, right? Otherwise, we would just have to wait for another zero-day, which happens very, very rarely. So this is also some kind of confirmation that we're doing the right things. It's a great and different way to learn about exploits and how they look without minification and in the wild, but rather a well-documented

exploit with detailed code comments and documentation and all of that. And I think that's really more insightful than any actual in-the-wild exploit could be. So Mozilla uses Pwn2Own as kind of a security incident fire drill. And I think we all can learn something from this whether you are a red teamer or pentester, bug hunter, blue team, or developer. We are getting here exclusive insight into how Mozilla handles this. But of course, I'm not only interested in the defense. I want to learn more about the hackers as well. So let's have a look at the competitors. While the competition categories of Pwn2Own are known beforehand, nobody actually knows who will participate and in what order. So when we were all planning this, we didn't know if anybody was going to hack Firefox. But on the 14th of May, two days before the competition, we tuned into the live stream where they are announcing and drawing the order of the competition. Now, will somebody target Firefox? Well, hello everyone. I am Dustin Childs, head of threat awareness here at Trend Zero Day Initiative. With me is Brian Gorenc. Brian, how are we doing today? Oh, we're busy. Busy, busy for sure. And a little tired. We have an outstanding show. Welcome to Pwn2Own Berlin. This is going to be fantastic. We have 34 entries, over a dozen in AI, right? Yes. Very busy in the AI category this year. And of course, we have web browsers, we have servers, we have virtualization. It's going to be hit pretty heavily. So with that being said, I have a bucket full of people. So let's start pulling names and let's start looking at the schedule and see how things are going to fall out. So, Brian, would you I'll go first. That's right. We have all of the operating systems getting hit except macOS, right? Yes. So read into that whatever you may. Next up, we got Edward Bochin and Taoan from Palo Alto Networks targeting Firefox, render-only, in the web browser category. 50 grand and five Master of Pwn points. First browser entry. There you go. Next up, we have Manfred Paul, who was the winner last year, targeting Mozilla Firefox in the web browser category for $50,000 and five Master of Pwn points. Yeah, it'll be good to see him again. I just saw him recently in Korea. Manfred Paul, the year before at Pwn2Own in Vancouver, he was crowned the Master of Pwn. But we can't talk about browsers without talking about, of course, Manfred Paul. There are four browsers in the competition: Firefox, Safari, Edge, and Chrome. How many did he hit? Every single one of them. Congratulations. I drove to the Mozilla office and met up with Freddy and Christian, and I wanted to ask them what they think about the contestants. Two security researchers from Palo Alto Networks. They won a Pwnie Award last year for security research in V8 and WebAssembly in particular. So we are aware of that, and that is kind of a guiding insight. And the other participant, Manfred Paul, who's been attacking Firefox and Pwn2Own two times now, we kind of know what kind of bugs he would like to look at. And we guess it might be something similar, but we don't know. And we don't lock ourselves into that specific possibility. Do you have a personal hunch or wish maybe which components they target? Well, the wish is that they fail. As much as I like this as an instrument of learning and getting feedback about how exploits are being written, of course ideally I would just like them to fail on stage. As much as I don't want to offend them as a person I wish everyone to succeed in their aspirations as a person but of course I want them to not be able to exploit. I would say it's not necessarily that I wish for a particular area to be affected, but I'd rather prefer an area for example, if something happened in the JavaScript engine the people there are very well aware of the processes on how this works. We've had this before. They have a lot of experience with the situation. So you could expect that this goes very, very smoothly. While it could always happen that we have a vulnerability in some part of the code that has been in maintenance mode for like forever nobody touched this for a very, very long time. Being in this situation is much more tricky. We have to figure out who exactly last worked on that and who actually maintains that right now, and when have we last touched this. Such a situation would make me more nervous than touching, for example, the JavaScript engine. Hearing Mozilla's perspective before the competition was interesting, but what actually

will happen, they also don't know. So let's jump to the next day one of the competition. We're rather excited. We don't know what the bug is going to look like. I wouldn't necessarily say that we're nervous. I think we have a checklist. We went through the checklist. We're somewhat confident that we know how to handle this, but we are really excited to see this in person for the first time for us. And yeah, cool bugs are always worth looking at. So in the disclosure room, Christian is going to start bisecting, analyzing, trying to reduce the test case such that we can do a better analysis of where it was introduced, what the patch intended to do when the bug was introduced. And I'm going to kick off all the communications with our team offsite and make sure that they can get started to work with it in parallel also bisect, analyze, maybe even start fixing it. Pwn2Own live streams their competitions on YouTube. So at some point they went live and we waited for Edward Bochin and Taoan from Palo Alto Networks to execute their exploit. Web browsers are a traditional target here at Pwn2Own. So gentlemen, whenever you're ready, kick it off. And just in case you're wondering, to win this category you do have to have a zero-click. Browse to a web page is all you get. Yes, there you go. So that is a successful demonstration. Now I want to be very clear about something. They did not hack Firefox in five seconds. They demonstrated it worked on that exploit for weeks ahead of time before they brought it here. So don't let anyone tell you that this browser was hacked in five seconds or whatever, because that's garbage. It's weeks and weeks of work to get that exploit. It's fantastic work. Now they go off to the disclosure room and they're going to tell us exactly what happened. Then Mozilla is here. We'll bring Mozilla in. We'll hand the bug to them, and they get 90 days to go off and fix it. As you just heard, we are now heading to the disclosure room to hear all about the exploit but not yet. Before that, the researchers had to do some interviews and some photos. That's something I didn't predict. And I could tell Freddy and Christian were pretty anxious. They just wanted to go to the room. Eventually, we walked together through the long hallways of the hotel into some mysterious back room a secret conference room but we were not allowed in there. First, the researchers had to share their exploit with ZDI, because ZDI, the organizers of Pwn2Own, need to make sure all the required information is there. And it turns out that process took a while. It's now 11:45, so it has been quite a while since they proved it on stage. They are still in the room with ZDI to confirm the bug. We do wonder why. Are there details missing? Are they not sure if it's a duplicate? Because that's one of the things ZDI looks for. It could be that it's a duplicate, and that's why it takes this long. So let's see how much longer it takes. I know you want to know what the secret room is like and what's happening in there. Believe me, I want to know it too. But we had to wait a bit longer. And unfortunately, you also have to wait for part two. So subscribe on YouTube or follow on Twitter or Instagram to not miss the next part where we finally hear about the exploit. If you're interested to learn more about hacking, check out also our online courses on hextree. io. We primarily have Android, web, and some hardware hacking videos right now. But if you're just interested in my free YouTube courses, you still should head over to hextree. io because we put all my YouTube videos into a huge map as well. Here you can explore all my backlog of hundreds of videos in a more organized way and explore all the different topics that you might find interesting.