Overview

After the success of last year’s Hack2Win eXtreme, this year we will have our first of many TyphoonCon hacking competition – TyphoonPwn!

TyphoonPwn will focus on browsers, mobile and Operating Systems, with up to 500,000 USD in prizes!

Prizes per target

Browsers

  • Chrome RCE on Windows – 80,000$
  • Chrome SBX – 80,000$
  • Safari RCE on OSX – 80,000$

Mobile

  • Android Samsung Galaxy kernel PE – 80,000$ (S10) 50,000$ USD (A8)
  • iOS app to kernel PE – 80,000$

Operating Systems

  • Windows PE to System – 50,000$
  • Linux PE to root – 50,000$

Registration

Registration is free to all, not limited to conference attendees.

To participate in TyphoonPwn please send the following information to contact@ssd-disclosure.com:

  • Name/Alias for public use
  • Contact name (will not be made public – optional)
  • Contact Information (will not be made public)
  • Category

If you win the competition, we will ask you for the following information (it will not be made public):

  • Contact name
  • Address
  • Contact phone number
  • Contact Email
  • Payment information (write transfer info, paypal or address for mailing a check)

Prizes

SSD is offering cash and prizes during the competition for vulnerabilities and exploitation techniques against the listed targets in said categories.

If more than one contestant registers for a given category, the order of the contestants will be drawn at random.

Based on the participation order, the first contestant will be given an opportunity to attempt to compromise the selected target. If unsuccessful, the next randomly drawn contestant will be given an opportunity, and so on. This will continue until a contestant successfully compromises the target.

The first contestant to successfully compromise a selected target will win the prize money for that target in that category.

After a target has been compromised, the contest for that category will be over. SSD may decide to continue the contest and offer an additional prize for that target, in which case this would be announced at the conference.

All prizes are in USD. 

Integrity Level

  • For RCE vulnerabilities, executed code should run at the integrity level of the renderer process (‘Tab’) or higher. 

Device Settings

  • The targets will be running on the latest, fully patched version of the operating system available on the selected target.
  • All targets will be installed in their default configurations.
  • The vulnerabilities utilized in the attack must be unknown, unpublished, and not previously reported to the vendor.
  • A given vulnerability may only be used once across all categories.

Remote Code Execution without Sandbox Escape

  • To provide a testing environment for this vulnerability, Chrome will be launched without the Sandbox feature chrome.exe –no-sandbox.
  • The URL of the researcher will be accessed – this URL needs to be reachable to the phone by having your laptop or USB key contain a payload that will be served by a web server (yours or provided by us).
  • Code will be executed due to the access of this URL.
  • This will be the only interaction allowed with Chrome (the URL placement and opening of it), any additional popup or question presented to the user will not be considered as RCE and will be considered a social engineering vulnerability and will not qualify as an RCE.

Remote Code Execution

  • Code execution would be considered as one when its arbitrary shell code execution.
  • The shell code should in assembly (either native or compiled code stored as assembly instructions).
  • The shell code should be running without any character, opcode, length or other restrictions. If any such restrictions exist, this should be noted during the demonstration of the code execution. The preferred shell code execution outcome would be popping of calc triggered by launching the executable.

Winner selection

Upon successful demonstration of the exploit, the contestant will provide a fully functioning exploit plus a whitepaper explaining the vulnerabilities and exploitation techniques used in the attack. SSD will then determine whether the exploit meets the above rules. SSD may choose to accept the entry(ies) but offer a prize at a value less than the initial prize offering for a given category if it decides that part of the exploit chain fails to meet the above rules.

A short white paper including details about all of the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prizes.

Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the exploits and whitepapers will be the property of SSD. The original finder of the vulnerability will receive credit (or remain anonymous if he wishes to) for the vulnerabilities, the whitepaper and the disclosure.

NOTE: SSD reserves the right to solely determine what constitutes a successful attack.

Who Can Apply

TyphoonPwn is open for registration to anyone who is 18 years of age or older at the time of registration – excluding anyone working for one of the vendors whose equipment is used in the contest or is involved in development of the devices used in the contest. Also excluded are SSD employees and any of its affiliates.

Applicants may apply individually or as a team. All applications must contain valid, true, complete and accurate information.

SSD reserves the right to disqualify any applicant and/or application, at its sole discretion, if untruthful information is submitted.

SSD reserves the right to request further information from the Participant, as may be required in order to evaluate their ability to perform the required tasks at the Competition (this request may include the evidencing of formal identity documents)

Submission

You may provide the item for further inspection after being announced a winner in a category by using the following public PGP key with this address: contact@ssd-disclosure.com.

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBFwptOcBEACzFAhz4Va2K4AIYikYy5hJhPpjn3J+1Ag07uAv4mBU2M8f
jzq1L53hxz5fARr9rPVxvfVDo42ZM2dmn0asFqxNLez74sYVKZtO1fmDcK2g
0lBmquZzjcKxT9UtPnHlGAozBempEvIFrQ0sjrkpQH4Z/Pv6cIVj57zYq2jV
+3yJoE1Ryoi70aAsG4sAQ3nHjxLSFyFp7MiPCQMV225kM2etljtkhlCGiMot
3zTJqZC/EnoTe93x/wJkMaQJx0UdK+vE5LIiPVIXT/ro54DtPahz8jf6/Ox+
HjPg28X4xGG26F0UuX2JvNREzlq3ekZCyHvC2Ha9BX6xYjqAr3bsLEbyF7GA
MoKQgvo4OZMKPKaekgSn5gm9nZMoo7Xav+UaI/IgXY+snOBXPkPI9eOT1/+Z
n1am/OuUXIp4AIQHt+m2d8WCFSSkd4kgdNiA6LHUm5/nYy/88wIEQCCV192u
QT2yzsP2bBOzHUmKnPEIEgn/WFMYM4CDg4xvOL1MsZzt0W78qzTgTI3q2g7y
7nndAODyqgZENcfc+ATPIA8XS/nWXjCSgjzMCpZoaf6+B39sVTGiHGwJ+i3V
1M7dXQ5vfavoCMnvE1MdABRRXhMdUdagq/ubnxyKno+nacy0rx1yRn1e0ea0
mDB+JDrhvJutvfWId77ruHFOSaSM/x02KLlURQARAQABzShTU0QgQ29udGFj
dCA8Y29udGFjdEBzc2QtZGlzY2xvc3VyZS5jb20+wsF7BBABCAAlBQJcKbTn
BQkB4oUABgsJBwgDAgQVCAoCAxYCAQIZAQIbAwIeAQAKCRA/Orsv6rOpC1UA
EACT4nGn6L+ec9htj+0WwHacz33dLysENWriPcZXFD4y2tpkDDvmQcZxvn6G
JbI0AA0v3vB7w6qS7cFVjuUd3b+GGcUHkcV7bYFe8wFWDjludO/APRMHjrRM
9uWgckezWsRrQI0Y8gMLDQRIXlQCAh90odUou5mA+OIHaS7gmTYvRpmS8SrC
X63fl5c834H6T9mYhEkuzSwq8+LkQC1F0/sDeiCBEmbli9Ij05MvCcfke5fv
laNXfjwWCFo10fWfZHTP6k4Ihgf4WQgxg+GvL+C1uefjg2ow7cxQT1puIJi5
liyd165XQYDbhXhTVnNNabKr8hgaHVZWGMAUG0RvsQwIJPaAPzrDogaEvu3G
2nWJMTlM9gnOsNl72TizgFvL5bdI600ueg9OjmUJI4utmLxMgdLS+ZZCiEY9
9sgfzlr+s7EBak41mNs27duT/nQv/WqGLWtCHoZjopUBmBX4F89gLXgWne2T
NVIX6uYCcZ6PkVIdEljqw3BKsmTqmGMklMOKpMivVxihlIC/R+ZgfxM+1cpU
h4ty84LMbqgXByGi1fSywY2eU6JpcEFBIYzL9sOupc4XxsSb/V5kx7ghPSHG
0YN0/ekGdxhmeAwz2KFdBr6UBr8RJQNPvsFVJWgcz9JD5p+8Mg8ftCK1PTi4
uFo89fpBa+TvA8sQ+gIr6LR5NM7BTQRcKbTnARAAvriVcmU92gEyZEFISYLv
VAo4zBg9+PDf47UFZMepSHIxGN/fL6mCcqn3JhmMBjj6D8ALCkWgyjQzR4Kz
W1r81HI3SWLwFJkOkIKu9Ke2w7OnnoBxF9uq6dzkKFpcKqRG8P3rOphQT8zj
pTyjGStR2qa8hcdMtNdy42pqFYQVBm4SGhRb4WT4xhNsTmt0fRD3K58YXg8T
Elt19LRC8A27xnCDc1xzSx1dTEWZ+kx2mom2StYSmuEYMbMUYx6DHqp3qy1g
KOv1GFD5j1AaCJj9JIIXFrWDJH4BOoJb0iuQ7brrPg03HtsTMpnOxf6h7bUV
IKwP150EctuREgvyyzw5Xx50MDPAtPL1ZfuFLu7CW9d8KMTdPaQ32Vem/HqU
ZJbSxwLPw9+YCimdKcKwqcC/Me22bm6WD7MuHvHejplV95PY4BY6AW4RjesF
1SyGeXNyykcT2nqDHeVmN0m/qtWY+PklBX2pXLp1DsQ8gcG7UOJKfmByvGpO
1Z1CbhwsTzKXR8nM0KWsdSbfFrwf7dQN+ehwud6MgypMBvGL00eBNLCgITZa
GPGR1k7OTZpmZ9IXICbCKhHXTT+g9m7wsrE36eTKczMGs05rDZJ9anPf1tya
4FHH/ZIF4UBBekUBlArxSmlBXudA0vuUu6O26+xMKrVyFaV3nVYFbCw5cj2c
hrsAEQEAAcLBZQQYAQgADwUCXCm05wUJAeKFAAIbDAAKCRA/Orsv6rOpCw06
D/43qbqxJmc2QeHWFXBSezr8+jxq6Y2LBOxv1ecjsGwlqqSxCZlwjnD6b6rG
haZhxqCeeTZWK8zCHXYyqVDxbxbP552lVCvRSahtAFXd6J0s716V2wwrBHc5
qN48cfixCt6NsJ5K0SQDBxoLJHKj5wVl+9V9o4s58tyi+jGBg7ME0ON/E990
Jpte2b3e7/MB/i970x3JcStfTd12xUxrQA3Y4l5Uni5ivLaJobBUYESkhUA+
IJ2slUZiRPOoSy5sQRM4r7vv0hyRh07pirv7yzsxOKC4y7VI+6zFcFK9suqo
V/Jb828+K99mpeOHuDY7uEYKFsAM/8n4Z4THKV1g0KPiht2XpWkVyneIFZKQ
nJDRIQD5LPaabMbGcUrVKb8GdaXz0CRs4Wv7LG34GxXsrOEbW7KVYxGk97bZ
LT7gFQUY3QmDLqsmAcL9/hBnCiTplAmniFNRK959fcuvq1CiX6WPIopBPotr
3dVhsz4QhxCxfn8sEEtvvRMadkO2RgosuT7UBIuPNZEjDB+W7f/eGVHIxNiP
E7h3jsmTCE5/yzsPF1malD5BkWznjCYiGxwKhQ1QGnGZ4SKDvmWbMGKWD+33
o8biBIRhQfTgV8tfTM2JrKatb6+6MtFgowMVV7xhuroF4vRpIfvAMrFNf0JR
UbOEy4PF6dGqbD+jg/0z138jbQ==
=luYP
-----END PGP PUBLIC KEY BLOCK-----