Pwn2Own Miami 2020 - Schedule and Live Results

January 21, 2020 | Dustin Childs

Welcome to Pwn2Own Miami taking place at the 2020 edition of the S4 conference! The random draw for the order of contestants has been completed, and we’re all set for a great competition. This blog will be updated throughout the program with results and details of the contest, so check back often to see the results. In total, we have eight groups with 25 attempts across all five categories. Be sure to follow us on Twitter, where we’ll also be posting some videos of the proceedings.

For a brief overview of the Day Three and final results, take a look at this video:

Here’s a video overview of the full results from Day Two:

For a look at the first day of Pwn2Own Miam 2020, check out this video:

We’ll also be keeping track of the overall Master of Pwn overall standings here. This is the final standings for the contest. Congratulations to Steven Seely and Chris Anastasio of the Incite Team on their win!

Day One

9:30 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting a Denial-of-Service (DoS) against the Triangle Microworks SCADA Data Gateway in the DNP3 Gateway category.

SUCCESS - The Incite Team used a Stack-based Overflow to cause a DoS on the Triangle Microworks SCADA Data Gateway. They earn themselves $5,000 USD and 5 points towards Master of Pwn.

10:30 - Yehuda Anikster of Claroty Research (@claroty) targeting a DoS against the Iconics Genesis64 in the Control Server category.

SUCCESS - The Claroty crew used a deserialization bug to cause a DoS in the Iconics Genesis64. They earn $5,000 USD and 5 Master of Pwn points.

11:30 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting a remote code execution with continuation against Rockwell Automation FactoryTalk View SE in the HMI category.

PARTIAL - The Incite Team successfully demonstrated the RCE, but the bug used had been previously reported. This counts as a partial win but does get them 12.5 Master of Pwn points.

12:30 - Fabius Artrel (@FabiusArtrel) targeting a remote code execution with continuation against Rockwell Automation FactoryTalk View SE in the HMI category.

PARTIAL - Fabius also successfully demonstrated his RCE, but his bug had also been previously reported. He still earns 12.5 Master of Pwn points for this partial win.

1:30 - Tobias Scharnowski (@ScepticCtf), Niklas Breitfeld (@brymko), and Ali Abbasi (@bl4ckic3) targeting a remote code execution with continuation against Rockwell Automation FactoryTalk View SE in the HMI category.

SUCCESS - The team from the Horst Goertz Institute for IT-Security used an Out-Of-Bounds (OOB) Access to gain code execution. They earned themselves $25,000 USD and 25 points towards Master of Pwn.

2:30 - Flashback team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) targeting a remote code execution with continuation against Iconics Genesis64 in the Control Server category.

SUCCESS - The team of Pedro and Radek used a combination of two bugs to get a System-level remote shell on the target server. They earned themselves $25,000 USD and 25 points towards Master of Pwn.

3:30 - Tobias Scharnowski (@ScepticCtf), Niklas Breitfeld (@brymko), and Ali Abbasi (@bl4ckic3) targeting a remote code execution with continuation against Iconics Genesis64 in the Control Server category.

SUCCESS - The team from the Horst Goertz Institute for IT-Security used an OOB Access bug to get code execution on the Iconics Genesis64. They earned another $25,000 USD and 25 more points towards Master of Pwn.

4:30 - Flashback team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) targeting a remote code execution with continuation against the Inductive Automation Ignition in the Control Server category.

SUCCESS - The team of Pedro and Radek used an information leak and an unsafe deserialization bug to get code execution on the Inductive Automation Ignition. Their final effort ending Day One earns them another $25,000 and 25 more Master of Pwn points.

Day Two

9:00 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting a remote code execution with continuation against the Inductive Automation Ignition in the Control Server category.

SUCCESS - The Incite Team used an information leak along with a deserialization bug to get their code execution working at SYSTEM on the Induction Automation Ignition. This earns them $25,000 and 25 points towards Master of Pwn.

10:00 - Sharon Brizinov and Amir Preminger of Claroty Research (@claroty) targeting the remote code execution against the Schneider Electric EcoStruxure Operator Terminal Expert in the HMI category

SUCCESS Sharon Brizinov and Amir Preminger of Claroty Research used an arbitrary DLL loading bug along with a directory traversal bug to get code execution on the Schneider Electric EcoStruxure Operator Terminal Expert. They earn $20,000 and 20 Master of Pwn points.

11:00 - Flashback team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) targeting a remote code execution with continuation against the Rockwell Automation Factory Talk View SE in the HMI category

SUCCESS - The team of Pedro Ribeiro and Radek Domanski used a multi-bug chain to get code execution with continuation on the Rockwell Automation Factory Talk View SE. This earns them $25,000 and 25 more Master of Pwn points.

12:00 - Tobias Scharnowski (@ScepticCtf), Niklas Breitfeld (@brymko), and Ali Abbasi (@bl4ckic3) targeting a remote code execution with continuation against the Inductive Automation Ignition in the Control Server category.

PARTIAL - The team used a bug that had previously reported. This counts as a partial win. This did earn them 12.5 additional Master of Pwn points.

1:00 - Mashav Sapir and Sharon Brizinov of Claroty Research (@claroty) targeting a remote code execution with continuation against the Inductive Automation Ignition in the Control Server category.

PARTIAL - The team successfully demonstrated their exploit, but they used a previously reported bug. This still counts as a partial win and earns them 12.5 Master of Pwn points.

2:00 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting a remote code execution against the Schneider Electric EcoStruxure Operator Terminal Expert in the HMI category.

FAILURE - The Incite Team could not get their exploit to work within the time allotted.

3:00 – Ben McBride (@bdmcbri) of Oak Ridge National Laboratory targeting an information disclosure exploit against the Iconics Genesis64 in the Control Server category.

FAILURE - Ben was unable to get his information disclosure bug to work within the allotted timeframe.

4:00 - Ben McBride (@bdmcbri) of Oak Ridge National Laboratory targeting a remote code execution with continuation against the Rockwell Automation FactoryTalk View SE in the HMI category.

PARTIAL - Ben was able to demonstrate his RCE, but his bug had been previously reported. He still earns 12.5 Master of Pwn points for this partial win.

Day Three

9:00 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting a remote code execution against the Rockwell Automation Studio 5000 in the EWS category.

SUCCESS - The Incite Team of Steven and Chris began verifying their shell with literally only seconds left on the clock. They successfully used a combination of bugs to get code execution on the Rockwell Automation Studio 5000. This dramatic demonstration earns them $20,000 and 20 points towards Master of Pwn.

9:45 - Uri Katz of Claroty Research (@claroty) targeting a DoS exploit against the Triangle Microworks SCADA Data Gateway in the DNP3 category.

PARTIAL - The Claroty crew was able to executte their DoS against the Triangle Microworks SCADA Data Gateway, but the bug had been previously reported. This counts as a partial win and earns them 2.5 Master of Pwn points.

10:30 - Michael Stepankin (@artsploit) of Veracode targeting a remote code execution with continuation against the Inductive Automation Ignition in the Control Server category.

PARTIAL - Michael was able to successfully demonstrated his RCE, but the bug used had been previously reported. This counts as a partial win but does get them 12.5 Master of Pwn points.

11:15 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting a DoS against the OPC Foundation OPC UA .NET Standard in the OPC UA Server category.

SUCCESS - The Incite Team of Steven and Chris used a race condition to create a DoS on the OPC Foundation OPC UA .NET Standard. They earn themselves another $5,000 and 5 points towards Master of Pwn.

12:00 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting a remote code execution with continuation against the Iconics Genesis64 in the Control Server category.

SUCCESS - The Incite Team of Steven and Chris used a deserialization bug to get code execution with continuation on the Iconics Genesis64. That's another $25,000 and 25 Master of Pwn points. That puts them in a commanding lead for Master of Pwn with an astonishing 92.5 points total.

1:00 - Sharon Brizinov and Amir Preminger of Claroty Research (@claroty) targeting a remote code execution with continuation against the Rockwell Automation FactoryTalk View SE in the HMI category.

SUCCESS - The Claroty Research team used a combination of bugs to get code execution with continuation on the Rockwell Automation FactoryTalk View SE. They earn another $25,000 and 25 Master of Pwn points.

2:00 - Tobias Scharnowski (@ScepticCtf), Niklas Breitfeld (@brymko), and Ali Abbasi (@bl4ckic3) targeting a remote code execution with continuation against the Triangle Microworks SCADA Data Gateway in the DNP3 category

SUCCESS - The team from the Horst Goertz Institute for IT-Security used a couple of bugs to get code execution with continuation on the Triangle Microworks SCADA Data Gateway. They earn $25,000 and 25 Master of Pwn points. That puts them in 2nd place with 87.5 total.

3:00 - Ben McBride (@bdmcbri) of Oak Ridge National Laboratory targeting a remote code execution with continuation against the Inductive Automation Ignition in the Control Server category.

PARTIAL - Ben was able to demonstrate his RCE, but his bug had been previously reported. He still earns 12.5 Master of Pwn points for this partial win.

4:00 - Lucas Georges of Synacktiv (@Synacktiv) targeting a remote code execution with continuation against the Rockwell Automation FactoryTalk View SE in the HMI category.

PARTIAL - Lucas was able to demonstrate his RCE, but his bug had been previously reported. He still earns 12.5 Master of Pwn points for this partial win.

Please check back often, as we’ll be updating this blog throughout the contest with additional details and results. For a recap of the targets and rules, be sure to check out the launch blog.