Chrome, Edge, Office, VMware ESXi hacked at TMC 2019

[German]The TMC 2019 took place in Chengdu, China, on the weekend of 16-17 November 2019. It is a hacker competition (TifanCup 2019), where the best hacker teams of China compete against each other. Once again, there were a lot of hacks on current software such as browsers, office and virtualization solutions.


I became aware of the competition, which lasted several days, late on Sunday evening via this tweet.

The TFC Competition

The "Tianfu Cup", TFC (International Cracking Competition) aims to build China's own "Pwn2Own" community. The background: In spring 2018, the Chinese government banned its own security researchers from participating in hacker competitions organized abroad, such as Pwn2Own.

A few months later, the TianfuCup was launched in response to the ban to give researchers the opportunity to improve their skills. The first TFC Cup took place in autumn 2018 with great success. The security researchers successfully hacked Edge, Chrome, Safari, iOS, Xiaomi, Vivo, VirtualBox and other products.

At the TMC Cup, three independent and parallel competitions will be held. In order to be successful in the competition, teams must repeatedly exploit previously unknown security gaps in products, software and operating systems. The total prize money this year was 1 million US dollars.


Successful hacks, hacks, hacks

During the two-day competition there were successful hack to outbreak from virtual machines into the host operating system under VMware EXSi – whereby the hackers of 360Vulcan needed only 24 seconds for the hack.

That earned the hacker $200,000 in bonus. But two teams had to break off the attempts to hack Ubuntu 19.10/CentOS 8 and Windows Server 2019.

There were two successful attacks on PDF readers. Of 20 demonstrations, 13 were very successful and could hack browsers such as Chrome, Edge and Safari. Among them the mentioned Adobe PDF-Reader.

Microsoft Office and dLink products were also hacked. Catalin Cimpanu has summarized the whole thing in this tweet. The winner is the team from 360Vulcan, who earned a lot of money with the VMware-hack (200.000 US $) and Qemu under Ubuntu (80.000 US $).

Catalin Cimpanu has collected more details in this ZDNet article, but nothing about the vulnerabilities was known.

Cookies helps to fund this blog: Cookie settings


This entry was posted in browser, Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *