[German]The TMC 2019 took place in Chengdu, China, on the weekend of 16-17 November 2019. It is a hacker competition (TifanCup 2019), where the best hacker teams of China compete against each other. Once again, there were a lot of hacks on current software such as browsers, office and virtualization solutions.
I became aware of the competition, which lasted several days, late on Sunday evening via this tweet.
Some number reviews for the two-day #TFC 2019 PWN contest:
17 teams delivered 28 on-site demonstrations with 20 successful and 8 failed
11 teams have gained bonus
8 targets been taken down
Total bounty of $545,000 awarded!Thanks everyone for participating! pic.twitter.com/k9voEyNHlg
— TianfuCup (@TianfuCup) November 17, 2019
The TFC Competition
The "Tianfu Cup", TFC (International Cracking Competition) aims to build China's own "Pwn2Own" community. The background: In spring 2018, the Chinese government banned its own security researchers from participating in hacker competitions organized abroad, such as Pwn2Own.
A few months later, the TianfuCup was launched in response to the ban to give researchers the opportunity to improve their skills. The first TFC Cup took place in autumn 2018 with great success. The security researchers successfully hacked Edge, Chrome, Safari, iOS, Xiaomi, Vivo, VirtualBox and other products.
At the TMC Cup, three independent and parallel competitions will be held. In order to be successful in the competition, teams must repeatedly exploit previously unknown security gaps in products, software and operating systems. The total prize money this year was 1 million US dollars.
Successful hacks, hacks, hacks
During the two-day competition there were successful hack to outbreak from virtual machines into the host operating system under VMware EXSi – whereby the hackers of 360Vulcan needed only 24 seconds for the hack.
Verified to be a success! Congrats to 360Vulcan @XiaoWei__ on wining $200,000 – the highest bonus of #TFC 2019! https://t.co/xYqlhMJj7W
— TianfuCup (@TianfuCup) November 17, 2019
That earned the hacker $200,000 in bonus. But two teams had to break off the attempts to hack Ubuntu 19.10/CentOS 8 and Windows Server 2019.
There were two successful attacks on PDF readers. Of 20 demonstrations, 13 were very successful and could hack browsers such as Chrome, Edge and Safari. Among them the mentioned Adobe PDF-Reader.
Brief review for #TFC Day 1:
20 demonstrations, with 13 being successful, 5 teams gained bonus.
6 targets were taken down #Edge, #Chrome, #Safari, #Adobe PDF Reader, #Office365, #DLink, #Ubuntu + qemu-kvm
Come back tomorrow at 9am! pic.twitter.com/LVYjPxilpX— TianfuCup (@TianfuCup) November 16, 2019
Microsoft Office and dLink products were also hacked. Catalin Cimpanu has summarized the whole thing in this tweet. The winner is the team from 360Vulcan, who earned a lot of money with the VMware-hack (200.000 US $) and Qemu under Ubuntu (80.000 US $).
Chrome, Edge, Safari hacked at Tianfu Cup, China's elite hacking competition
– (old) Edge hacked 3 times
– Chrome twice
– Safari once
– Office 365 hacked in 16 seconds
– 32 sessions announced: 13 successful, 7 failed, 12 abandonedhttps://t.co/0aA8C06xxx pic.twitter.com/ltD1SnH4tt— Catalin Cimpanu (@campuscodi) November 17, 2019
Catalin Cimpanu has collected more details in this ZDNet article, but nothing about the vulnerabilities was known.