The third and final day of the largest Pwn2Own shapes up with three entries and the awarding of Master of Pwn. It’s a tight race with multiple teams still in the running. Here’s the schedule for Day Three:

9:00am – 360 Security (@mj011sec) targeting Microsoft Edge with a SYSTEM-level escalation and a virtual machine escape
SUCCESS: The 360 Security (@mj011sec) team used a used heap overflow in Microsoft Edge, a type confusion bug in the Windows kernel, and an uninitialized buffer in VMware for a complete virtual machine escape. They more than earn $105,000 and 27 Master of Pwn points.

11:00am – Richard Zhu (fluorescence) targeting Microsoft Edge with a SYSTEM-level escalation
SUCCESS: Richard Zhu (fluorescence) leveraged two separate use-after-free (UAF) bugs in Microsoft Edge then escalated to SYSTEM using a buffer overflow in the Windows kernel. The garnered him $55,000 and 14 points towards Master of Pwn.

12:30pm – Tencent Security - Team Sniper (Keen Lab and PC Mgr) targeting VMWare Workstation (Guest-to-Host)
SUCCESS: Tencent Security - Team Sniper (Keen Lab and PC Mgr) used a three-bug chain to win the Virtual Machines Escapes (Guest-to-Host) category with a VMWare Workstation exploit. They used a Windows kernel UAF, a VMware info leak and an uninitialized VMware buffer to go guest-to-host. This garnered them $100,000 and 13 points for Master of Pwn.

5:45pm – Final closing and Master of Pwn award ceremony

Stay tuned as we will update this blog throughout the day with results from each attempt.