Pwn2Own Contest Places a $75K Bounty to Hack VMware Workstation at CanSecWest Security Conference

In a recent blog post, HPE’s vulnerability research manager Brian Gorenc said that since the inception of the competition back in 2007, Pwn2Own has increased the challenge level at each new competition.  And this year will be no exception.

Something new to this year’s event — contestants will be given the opportunity to expose a Windows environment that runs as a guest OS in a virtual machine running on VMware Workstation.  And although breaking out of the virtual machine itself is not mandatory, those who figure out how to do so could earn themselves an additional $75,000.

"This is our first year including VMware as a target, and we look forward to seeing what researchers will do with it," said Gorenc.

Exposing any new vulnerabilities right now in the VMware Workstation product adds an interesting twist as it was just recently announced in January that VMware had laid off 800 people, many of whom were members of the company’s "Hosted UI" team — the developers who were directly responsible for the company’s Workstation and Fusion desktop virtualization products.  Exposing any security problems within the widely used and extremely popular Workstation product at this stage could prove devastating what with the loss of the company’s brain power and subject matter experts of that platform.

You can also imagine, once Workstation’s virtualization layer is compromised, the groups next challenge will be to move on to VMware vSphere and then look towards the cloud.

As part of the contest, the event has issued a warning for contestants, stating:

A successful entry in the contest should leverage a vulnerability to modify the standard execution path of a program or process in order to allow the execution of arbitrary instructions.

"The entry is required to defeat the target’s techniques designed to ensure the safe execution of code, such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and application sandboxing. The resulting payload should be executing in an elevated context (for example, on Windows-based targets, Medium integrity level or higher)," said Gorenc.

He continued, "The vulnerability or vulnerabilities used in each attack must be unknown, unpublished, and not previously reported to the vendor. A particular vulnerability can only be used once across all categories. A successful remote attack against these targets must require no user interaction beyond the action required to browse to the malicious content and must occur within the user’s session with no reboots, or logoff/logons."

The full set of rules for Pwn2Own 2016 is available here.

##

About the Author

David Marshall is an industry recognized virtualization and cloud computing expert, a seven time recipient of the VMware vExpert distinction, and has been heavily involved in the industry for the past 16 years.  To help solve industry challenges, he co-founded and helped start several successful virtualization software companies such as ProTier, Surgient and Hyper9 and also spent a few years transforming desktop virtualization while at Virtual Bridges.

David is also a co-author of two very popular server virtualization books: "Advanced Server Virtualization: VMware and Microsoft Platforms in the Virtual Data Center" and "VMware ESX Essentials in the Virtual Data Center."  He was also the Technical Editor on Wiley’s "Virtualization for Dummies" and "VMware VI3 for Dummies" books.  David also authored countless articles for a number of well known technical magazines, including: InfoWorld, Virtual-Strategy and TechTarget.  And in 2004, he founded the oldest independent virtualization and cloud computing news site, VMblog.com, which he still operates today.

Follow David Marshall

Twitter: @vmblog
LinkedIn: https://www.linkedin.com/in/davidmarshall
Blog: http://vmblog.com