Share the post "Best Chinese hackers successfully hack Safari, Chrome and Office 365"
Less than one week ago there was a hacking competition in the city of Chengdu, China. Many fine Chinese hackers gathered to compete in the Tianfu Cup event.
Ethical hackers from China have a long history of success. However, since 2018 it is forbidden for Chinese experts to attend any events like this one abroad. Because of that, the Tianfu Cup competition took place last year for the first time and ended with great success. Best hackers earned more than $1 million in total for their achievements.
This year, during the two-day contest on 16 and 17 November, hackers try to find flaws in different software and use them to take over the given app using vulnerabilities that nobody has ever seen before.
During the first day, there have been 32 hacking attempts done by 11 different teams. Thirteen of them ended with success, seven failed and 12 were abandoned because of different reasons.
In 13 successful results, we can find software such as:
- Chrome (2 successful exploits)
Verified to be a success! Congrats to 360Vulcan @XiaoWei__ on wining $200,000 – the highest bonus of #TFC 2019! https://t.co/xYqlhMJj7W
— TianfuCup (@TianfuCup) November 17, 2019
- Safari (1 successful exploit)
StackLeader @codecolorist was just verified to get a partially successful entry on #Safari. They earned a bonus of $30,000.
— TianfuCup (@TianfuCup) November 16, 2019
- Microsoft Edge (3 successful exploits)
Congrats! All the three Edge exploits are confirmed to be success! Teams ddd @ExpSky and 360vulcan @mj0011sec both achieved RCE + sandbox escape, so each earned $55,000. Team .(dot) get $10,000 with RCE.
— TianfuCup (@TianfuCup) November 16, 2019
- Office 365 (1 successful exploit)
360Vulcan @guhe120 controlled #Office365 within 16 seconds just now, let’s wait for the verification result. In the meanwhile, attempts on Adobe are on-going.
— TianfuCup (@TianfuCup) November 16, 2019
The entry on #Office365 ProPlus is acheived by downloading a rtf document via Edge. It partially bypassed the #ProtectionView to gain the control. A bonus of $40,000 is awarded to 360Vulcan @guhe120
— TianfuCup (@TianfuCup) November 16, 2019
- qemu-kvm + Ubuntu (1 successful exploit)
Applause to 360Vulcan @Xiaowei__ He has successfully escaped from the #qemu-kvm, and execute arbitrary code on Ubuntu host’s operating System. The exploit is to be verified.
— TianfuCup (@TianfuCup) November 16, 2019
- Adobe PDF Reader (2 successful exploits)
Two successful RCE demonstrations today on #Adobe PDF Reader are from Bit-STARLabs @PTDuy and StackLeader @0x140ce @Jdddong @ppdonow. Tomorrow the attempts on Adobe will continue, we will know the final bonus distribution by then.
— TianfuCup (@TianfuCup) November 16, 2019
- D-Link DIR-878 Router (3 successful exploits)
Three teams HAC, team StackLeader @yuzhou6666 @ppdonow and team NoTrace Security Lab @NoTrace24657171 controlled #DLink DIR-878 successfully. There will be several other teams working on this target tomorrow. Let’s wait for the bonus result tomorrow.
— TianfuCup (@TianfuCup) November 16, 2019
The second day was not as busy as the first one. There were 16 hacking sessions scheduled, half of them actually took place and only one ended with failure. Security experts had to give up on eight of them due to different circumstances as in the previous day.
The seven successful attempts were as following:
- Adobe PDF Reader (2 successful exploits)
The final result for #Adobe PDF Reader comes out! Another two teams Team ddd @ExpSky @klotxl404 and 360Vulcan @kgsdy1 @hukeqi also successfully got RCE. The 4 wining teams will all get $7,500 to each. Congrats! https://t.co/cZDl0ZJTxc
— TianfuCup (@TianfuCup) November 17, 2019
- D-Link DIR-878 (4 successful exploits)
Today, 4 more teams also succeeded in hacking the D-Link DIR-878: ddd, 360 Information Security Center @1arryx1 , 360 Chengdu Security Team @kgsdy1, @hukeqi and SISLAB PWN @ben_dh_kim . The final bonus will be announced soon.
— TianfuCup (@TianfuCup) November 17, 2019
- VMWare Workstation (1 successful exploit)
Amazing! 360Vulcan @XiaoWei___ successfully escaped from the #VMware #EXSi and controled the host’s operating system within 24 seconds. Now, they went to the review room with the judges. Let's wait patiently for the final result.
— TianfuCup (@TianfuCup) November 17, 2019
In the failed exploits security experts did not manage to hack things such as iPhone 11 Pro or Windows Server 2019. The winning Team 360Vulcan gave up hacking the iPhone 11 Pro that was scheduled for the end of the tournament. However, they still manage to win the competition and earn $ 382,500 for their achievements.
In cybersecurity, this kind of competition plays a big role in improving safety. After white hat hackers successfully hack anything, companies owning these devices or software are informed about the situation in order to be able to fix it and develop their products in the future.
References:
https://www.zdnet.com/article/chrome-edge-safari-hacked-at-elite-chinese-hacking-contest/
https://adware.guru/tianfu-cup-hackers-competition/
What would the world do without Chinese and Russian hackers