Pwn2Own Austin 2021 - Schedule and Live Results
November 01, 2021 | Dustin ChildsWelcome to Pwn2Own Austin 2021! This year’s consumer-focused event is our largest ever with 58 total entries from 22 different contestants. As with all of our contests now, you can follow along live on YouTube and Twitch. With attempts going every 30 minutes, is should be an exciting few days.
As always, we started the contest with a random drawing to determine the order of attempts. You can view the results here. Our schedule is so packed, we’ve extended to contest to a fourth day. The complete schedule for the contest is below (all times Eastern [GMT -4:00]). We will update this schedule with results as they become available.
Note: All times subject to change - You can watch the event live here.
Tuesday, November 2
For a quick review of Day One, check out our recap video here.
1000 - Sam Thomas (@_s_n_t) from team Pentest Limited (@pentestltd) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
SUCCESS - Sam used a three-bug chain that included an unsafe redirect and a command injection to get code execution on the Western Digital My Cloud Pro Series PR4100. This successful demonstration earns him $40,000 and 4 Master of Pwn points.
1030 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the WAN interface of the Cisco RV340 in the router category
SUCCESS - Bien Pham leveraged a logic error to compromise the WAN interface of the Cisco RV340 router. He earns $30,000 and 3 Master of Pwn points.
1100 - The Synacktiv (@Synacktiv) team targeting the Canon ImageCLASS MF644Cdw in the printer category
SUCCESS - The Synacktiv team used a heap overflow to take over the Canon ImageCLASS printer and bring home the first Printer Category win in Pwn2Own history. They earn $20,000 and 2 points towards Master of Pwn.
1130 - trichimtrich and nyancat0131 targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi in the router category
SUCCESS - trichimtrich used an Out-Of-Bounds (OOB) Read to get a root shell via the LAN interface of the TP-Link AC1750 router. This earns him $5,000 and 1 point towards Master of Pwn.
1200 - The THEORI Team (@theori_io) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
SUCCESS - The THEORI team combined an OOB Read and a stack-based buffer overflow to take over the Western Digital My Cloud Pro Series PR4100 NAS device. They used a unique bug chain, so they earn the full $40,000 and 4 points towards Master of Pwn.
1230 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the Cisco RV340 in the router category
SUCCESS - Bien Phamfrom Team Orca of Sea Security used a three-bug chain, including an auth bypass and a command injection, to take over the LAN interface of the Cisco RV340. This effor earns him $15,000 and 2 more Master of Pwn points.
1300 - Ken Gannon (@yogehi) of F-Secure Labs (@fsecurelabs) targeting the Samsung Galaxy S21 in the Mobile Phone category
FAILURE - Unfortunately, Ken could not get his exploit to work within the time allotted.
1400 - Bugscale targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
COLLISION - The exploit chain used by Bugscale included known bugs. They still earn $20,000 and 2 Master of Pwn points.
1430 - Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH), and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence targeting the LAN interface of the Cisco RV340 in the router category
COLLISION - The exploit chain used by the CrowdStrike team included some known bugs. They still earn $10,000 and 1.5 Master of Pwn points.
1500 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Canon ImageCLASS MF644Cdw in the printer category
SUCCESS - The DEVCORE team used a stack-based buffer overflow to take over the Canon ImageCLASS printer. This unique bug chain earned them $20,000 and 2 Master of Pwn points.
1530 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category
SUCCESS - Bien Pham finishes Day 1 by using an OOB Read bug to take control of the TP-Link AC1750 router via the LAN interface. This earns him another $5,000 and 1 Master of Pwn point.
1630 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Sonos One Speaker in the home automation category
SUCCESS - The DEVCORE team used an integer underflow to gain code execution on the Sonos One Speaker. They earn $60,000 and 6 points towards Master of Pwn.
1700 - Gaurav Baruah (@_gauravb_) targeting the WAN interface of the Cisco RV340 in the router category
COLLISION - A partial collision. One of the bugs used by Gaurav was previously known. He still $22,500 and 2.5 Master of Pwn points.
1730 - The THEORI Team (@theori_io) targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category
SUCCESS - The THEORI Team used a stack-based buffer overflow to get code execution on the 3TB My Cloud Home Personal Cloud from WD. This earns them $40,000 and 4 Master of Pwn points, giving them a 1 day total of $80,000 and 8 points.
1800 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the HP Color LaserJet Pro MFP M283fdw in the printer category
SUCCESS - The DEVCORE team used a stack-based buffer overflow to gain code execution on the HP Color LaserJet Pro. They earn another $20,000 and 2 Master of Pwn points, bringing their day 1 total to $100,000 and 10 Master of Pwn points.
Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.
— trichimtrich and nyancat0131 targeting the LAN interface of the NETGEAR R6700v3 in the router category
SUCCESS - trichimtrich leveraged an integer overflow to gain code execution via the LAN interface of the NETGEAR R6700v3 router. They win another $5,000 and 1 more point towards Master of Pwn.
— Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the WAN interface of the NETGEAR R6700v3 in the router category
FAILURE - Unfortunately, Team Flashback could not get their exploit to work within the time allotted.
— Bugscale targeting the LAN interface of the NETGEAR R6700v3 in the router category
SUCCESS - The Bugscale team combined an authorization bypass with a command injection bug to get code execution on the LAN interface of the NETGEAR router. They earn $5,000 and 1 Master of Pwn point.
— crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201, and friends from Mofoffensive Research Team targeting the LAN interface of the NETGEAR R6700v3 in the router category
For a video overview of the Day Two results, see here.
1000 - NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
SUCCESS - The NCC Group leveraged a memory corruption bug three different ways (and overcame a timing issue) to get code execution on the Western Digital My Cloud Pro Series PR4100. They earn themselves $40,000 and 4 Master of Pwn points.
1030 - Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the WAN interface of the Cisco RV340 in the router category
SUCCESS - The Flashback team of Pedro and Redek used an impressive stack-based buffer overflow to get code execution on the WAN interface of the Cisco RV340 router. They earn $30,000 and 3 Master of Pwn points.
SUCCESS - The team of Nicolas Devillers, Jean-Romain Garnier, and Raphael Rigo obtained code execution on the Canon ImageCLASS printer through a stack-based buffer overflow. This unique bug chain earns them $20,000 and 2 Master of Pwn points.
1130 - crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201, and friends from Mofoffensive Research Team targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category
FAILURE - Unfortunately, the Mofoffensive Team could not get his exploit to work within the time allotted.
1200 - The Synacktiv (@Synacktiv) team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
SUCCESS - The Synacktiv team leveraged a configuration error bug to get code execution on the PR411. They earn $40,000 and 4 Master of Pwn points.
1230 - Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the LAN interface of the Cisco RV340 in the router category
SUCCESS - Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab used 3 unique bugs, incuding an authorization bypass and a commange injection, to get code execution on the Cisco RV340 via the LAN interface. They earn $15,000 and 2 Master of Pwn points.
1300 - The STARLabs Team targeting the Samsung Galaxy S21 in the mobile phone category
COLLISION - The exploit chain used by the STARLabs team included a bug known by the vendor. They still earn $25,000 and 2.5 Master of Pwn points.
1400 - The Synacktiv (@Synacktiv) team targeting the Sonos One Speaker in the home automation category
SUCCESS - The Synacktiv team used a stack-based buffer over to compromise the Sonos One speaker and play us a tune. They earn $60,000 and 6 Master of Pwn points.
1430 - trichimtrich and nyancat0131 targeting the WAN interface of the Cisco RV340 in the router category
SUCCESS - trichmitrich used nearly all the time on the clock, but his command injection bug is unique. His takeover of the Cisco RV340 via the WAN interface earns him $30,000 and 3 Master of Pwn points.
1500 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
COLLISION - The DEVCORE team successfully exploited the WD PR411, but the bugs they leveraged had been previously used in the competition. Their work still earns them $20,000 and 2 Master of Pwn points.
1530 - The STARLabs Team targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category
COLLISION - The STARLabs team exploited the LAN interface of the TP-Link AC1750 router, but they used a known bug. This still nets them $2,500 and .5 Master of Pwn points.
1600 - The Synacktiv (@Synacktiv) team targeting the Lexmark MC3224i in the printer category
SUCCESS - The Synacktiv team combined three unique bugs, including an unprivileged access bug and a command injection bug, to get code execution on the Lexmark MC3224i printer. They earn $20,000 and 2 more Master of Pwn points.
1700 - The STARLabs Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
COLLISION - The exploit chain used by Nguyễn Hoàng Thạch (hi_im_d4rkn3ss) of STARLabs team included bugs previously used in the contest. They still earn $20,000 and 2 Master of Pwn points.
1745 - The Synacktiv (@Synacktiv) team targeting the HP Color LaserJet Pro MFP M283fdw in the printer category
COLLISION - The exploit chain used by the Synacktiv team included a bug used earlier in the competition. They still earn $10,000 and 1 Master of Pwn point.
Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.
— Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
FAILURE - Unfortunately, the IoT Inspector Research team could not get their exploit to work within the time allotted.
— The STARLabs Team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category
COLLISION - The exploit chain used by Nguyễn Hoàng Thạch (hi_im_d4rkn3ss) and Phan Thanh Duy (PTDuy) of STARLabs took over the 3TB My Cloud Home Personal Cloud from WD using a bug previously seen in the competition. They still earn $20,000 and 2 Master of Pwn points.
— Diffense Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
COLLISION - In their Pwn2Own debut, the Diffense Team runs into a collision. They were able to exploit the Western Digital My Cloud Pro Series PR4100, but the bug they leveraged was also used on Day 1. They still earn $20,000 and two Master of Pwn points in their debut effort.
— Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Lexmark MC3224i in the printer category
SUCCESS - The DEVCORE team used a code injection bug to take over the Lexmark MC3224i printer. This unique bug chain earned them $20,000 and 2 Master of Pwn points.
— NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) targeting the Lexmark MC3224i in the printer category in the printer category
SUCCESS - The NCC Group again needed multiple attempts, but they successfully exploited the Lexmark MC3224i with a file write bug. The earn $20,000 and 2 Master of Pwn points.
— Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the WAN interface of the NETGEAR R6700v3 in the router category
FAILURE - Unfortunately, Bien could not get his exploit to work within the time allotted.
— Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the NETGEAR R6700v3 in the router category
COLLISION - The two-bug exploit chain used by Bien included bugs used earlier in the competition. He still earn $2,500 and .5 Master of Pwn points.
— Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the WAN interface of the NETGEAR R6700v3 in the router category
FAILURE - Unfortunately, the IoT Inspector Research team could not get their exploit to work within the time allotted.
— Diffense Team targeting the LAN interface of the NETGEAR R6700v3 in the router category
For a quick overview of Day Three results, see the recap video here.
1000 - Martin Rakhmanov (@mrakhmanov) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category
SUCCESS - Martin used a unique two-bug chain that included a command injection to compormise the NAS device. He earns himself $40,000 and 4 points towards Master of Pwn.
1030 - The Synacktiv (@Synacktiv) team targeting the LAN interface of the Cisco RV340 in the router category
COLLISION - The three-bug exploit chain used by the Synacktiv team included some known bugs. They still earn $7,500 and 1 Master of Pwn points.
1100 - Alexander Bolshev (@dark_k3y), Timo Hirvonen (@TimoHirvonen), and Dmitry Janushkevich (@InfoSecDJ) of F-Secure Labs (@fsecurelabs) targeting the HP Color LaserJet Pro MFP M283fdw in the printer category
SUCCESS - The team from F-Secure Labs used a single stack-based buffer overflow to take over the printer and turn it into a jukebox. They earn $20,000 and 2 Master of Pwn points.
1200 - The STARLabs Team targeting the beta version of the 3TB My Cloud Home Personal Cloud from WD in the NAS category
SUCCESS - The STARLabs team of Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) combined an OOB Read and a heap-based buffer overflow to exploit the beta version of the 3TB My Cloud Home Personal Cloud from WD. They earn $45,000 and 5 Master of Pwn points.
1230 - Stephen Fewer (@stephenfewer) of Relyze Software Limited (www.relyze.com) targeting the LAN interface of the Cisco RV340 in the router category
COLLISION - The four-bug exploit chain used by the Stephen included some known bugs. His successful demonstration still earns him $10,000 and 1.5 Master of Pwn points.
1300 - Sam Thomas (@_s_n_t) from team Pentest Limited (@pentestltd) targeting the Samsung Galaxy S21 in the mobile phone category
SUCCESS - Sam used a three-bug chain to get code execution on the Sumsung Galaxt S21. This successful demonstration earns him $50,000 and 5 Master of Pwn points.
1400 - The Synacktiv (@Synacktiv) team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category
COLLISION - The Synacktiv team used a two-bug chain to compromise the 3TB My Cloud Home Personal Cloud, but one of the bugs had been used prior in the contest. Their demonstration still earns them $20,000 and 2 Master of Pwn points.
1500 - Chris Anastasio (@mufinnnnnnn) targeting the Lexmark MC3224i in the printer category
COLLISION - Chris used a four-bug chain to compromise the Lexmark printer, but one of the bugs had been used prior in the contest. His efforts still earns him $17,500 and 1.75 Master of Pwn points.
1600 - The STARLabs Team targeting the LAN interface of the NETGEAR R6700v3 in the router category
FAILURE - Unfortunately, the STARLabs Team could not get their exploit to work within the time allotted.
1700 - Stephen Fewer (@stephenfewer) of Relyze Software Limited (www.relyze.com) targeting the LAN interface of the NETGEAR R6700v3 in the router category
SUCCESS - Stephen used an uninitialized variable to get a root shell via the LAN interface of the NETGEAR R6700v3 router. He earns $5,000 and 1 Master of Pwn point.
Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.
— The Synacktiv (@Synacktiv) team targeting the WAN interface of the NETGEAR R6700v3 in the router category
SUCCESS - The Synactiv team used an improper certificate validation and a stack-based buffer overflow to compromise the NETGEAR router via the WAN interface. They earn $20,000 and 2 critical Master of Pwn points.
— Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the LAN interface of the NETGEAR R6700v3 in the router category
For a quick overview of Day Four results, see the recap video here.
1000 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category
SUCCESS - The DEVCORE team combined an OOB Read and an OOB Write to sucessfully exploit the 3TB My Cloud Home Personal Cloud from WD. This unique bug chain earned them $40,000 and 4 Master of Pwn points.
1030 - Diffense Team targeting the LAN interface of the Cisco RV340 in the router category
COLLISION - The Diffense Team leveraged 4 bugs to exploit the Cisco RV340 router via the LAN interface, but some of the bugs had been seen earlier in the conference. This still earns them $10,000 and 1.5 Master of Pwn points.
1100 - Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH), and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence targeting the Lexmark MC3224i in the printer category
COLLISION - The team from CrowdStrike had no problem taking over the Lexmark printer using a three-bug chain, however all of the bused used had been seen earlier in the contest. Their effort wins them $10,000 and 1 Masrer of Pwn point.
1200 - The NullRiver team of Xin’an Zhou, Xiaochen Zou, Zhiyun Qian targeting the LAN interface of the NETGEAR R6700v3 in the router category
SUCCESS - The team used a pair of bugs to execute code via the LAN interface. They earn $5,000 and 1 Master of Pwn point.
1230 - Final wrap-up and the crowning of the Master of Pwn
Congratulations to the Synacktiv team for being crowned Master of Pwn! It was a tight race, but their combined efforts held off all challengers.
Thanks again to our partners Western Digital as well as our sponsor Synology. Thanks also to the researchers who participate and to the vendors for providing fixes for what’s discovered during the contest. As a reminder, vendors have 90 days to produce a fix for all vulnerabilities reported.