At the Tianfu Cup 2021, the fourth edition of the worldwide cybersecurity competition in Chengdu (China), unique and unpublished vulnerabilities were used for successfully getting into Windows 10, iOS 15, Google Chrome, Apple Safari, Microsoft Exchange Server, and Ubuntu 20.
Windows 10, Ubuntu 20/CentOS 8, Microsoft Exchange Server 2019, Google Chrome for Windows 10 21H1, Apple Safari for MacBook Pro, iPhone 13 Pro running iOS 15, Adobe PDF Reader, Parallels Desktop, Docker CE, VMware Workstation, VMware ESXi, Synology DS220j DiskStation, domestic mobile phones running Android, QEMU VM, and ASUS RT-AX56U router were among the targets this year.
In 2018, the Chinese version of Pwn2Own was launched in response to a government law prohibiting security researchers from competing in international hacking competitions due to national security concerns.
Every target was successfully attacked, except the Synology DS220j NAS, Xiaomi Mi 11 smartphone, and an undisclosed Chinese electric vehicle.
This event was a two-day tournament and took place on October 16 and 17. Kunlun Lab took home the top award ($654,500) for demonstrating practical vulnerabilities in iOS 15, including a remote code execution issue in mobile Safari within just 15 seconds.
Google Chrome was also pwned by researchers from the cybersecurity company, who could obtain Windows system kernel level privilege with just two flaws.
Team PangU finished in second place with a total of $522,500 for demonstrating a remote jailbreak on an iPhone 13 Pro running iOS 15. It was the first time when the newly launched iPhone model had been cracked in public. The Vulnerability Research Institute (VRI) came in third place with $392,500.
The vulnerabilities have not been disclosed in detail, but fixes for the newly discovered issues are anticipated to be released in the coming weeks.
