Pham Van Khanh, 29, and Dao Trong Nghia, 23, from Viettel Cyber Security, a subsidiary of military-run telecommunications company Viettel Group, won the “Local Escalation of Privilege” title when targeting Microsoft’s Windows 10.
The team used an integer overflow in Windows 10 to escalate from a regular user to system privileges during a competition on April 6.
For each category, the contest, held online by Zero Day Initiative, a U.S.-based international software vulnerability initiative started in 2005, evaluates competitors via “success,” “partial” and “failure” levels.
Khanh and Nghia, as the only representative of Vietnam at the contest, are evaluated as “partial” as they targeted Microsoft Exchange in the Server category on April 7.
The team successfully demonstrated its code execution on the Exchange server, though some of the bugs they used in their exploit chain had been previously reported in the contest.
Aside from the two categories featuring the Vietnamese team, Virtualization, Web Browser, Enterprise Applications, Enterprise Communications, and Automotive categories rounded off the event.
Nghia said the contest was a “big challenge.”
“Normally, detecting errors in a system is already a hard job. In this contest, it was much harder since I had to find errors and create an attack code in a limited period of time.”
Each category test at Pwn2Own lasts 20 minutes.
As one of the biggest cyber-attack competitions in the world, Pwn2Own has been held annually since 2007 and “is known as one of the industry’s toughest hacking contests,” as described by TechCrunch.
This year, the overall prize pool is greater than $1.5 million in cash, with the highest prize worth $200,000.
Due to the ongoing pandemic, participants had to submit their exploits remotely instead of traveling all the way to Canada and the U.S. for the competition.
This year’s event is one of the largest in Pwn2Own history, with 23 separate entries. Overall, the Vietnamese team earned 11.5 points to rank fourth.