Tianfu Cup 2021: Exchange 2019 and iPhone hacked

[German]I think the developers at Apple and Microsoft – as well as some other software companies – will have their work cut out for them. At the Chinese Tianfu Cup 2021, which is currently (Oct. 16./17. 2021) underway, there was a continuous stream of successful hacks. Among other things, Microsoft Exchange 2019 was hacked via a 0-day exploit – and even the iPhone with iOS 15 was not safe from the hackers.

The Tianfu Cup

The "Tianfu Cup",  or TFC (International Cracking Competition) for short, is China's largest hacking competition. This aims to build China's own "Pwn2Own" community. The background: In spring 2018, the Chinese government banned its own security researchers from participating in hacking competitions organized abroad, such as Pwn2Own.

A few months later, the Tianfu Cup was created in response to the ban to give researchers the opportunity to improve their skills. The first TFC Cup was held in autumn 2018 with great success. In it, security researchers successfully hacked Edge, Chrome, Safari, iOS, Xiaomi, Vivo, VirtualBox and other products.

At the TMC Cup, three independent and parallel competitions are held. The three parallel competitions include PC, mobile and server, and eight categories: Virtualization Software, Operating System Software, Browser Software, Office Software, Mobile Intelligent Devices, Web Services and Applications Software, DNS Services Software, and Common Management Services Software. Teams must repeatedly exploit previously unknown security vulnerabilities in products, software and operating systems to succeed in the competition.

The prize money totaled $1 million US $ in 2019. I had already reported on this competition in 2020 in the blog post Tianfu Cup Competition: Windows 10, iOS, Chrome, Firefox hacked. In 2021, the Tianfu Cup will be held on Saturday, October 16 and Sunday, October 17. The prize in this competition this year is $1.5 million US $.

iOS and Exchange Server 2019 hacked

At the moment, few details are leaking out about the hacks of the first day and the hacks that are ongoing this Sunday. However, two snippets of information have already come to my attention and I'm posting them here on the blog.

On October 16, 2021, the above tweet came to my attention. A team managed to hack Microsoft Exchange Server 2019 within not even 5 minutes. The tweet states that the hack was done via a 0-day vulnerability that is not fixed with the latest Exchange updates (Security Updates for Exchange Server (October 2021)). If more details come to my attention, I will report on it.

And the tweet above (from Kunlun Lab CEO @mj0011sec) says that Team PangU was able to hack an iPhone 13 Pro (with iOS 15.x) on the first day. The team was able to demonstrate a remote jailbreak and collected $300,000 in prize money for it – this article even states $320,000.  This puts the team in first place for prize money. An article about it can be found here, but there are no details there yet.

And on the 2nd day of TFC 2021, an iPhone 13 Pro was hacked within 15 seconds via a remote code execution in the Mobile Safari browser by Team Kunlun Lab. This post can be found on reddit.com under iPhone XR, iOS 12.4.

Addendum: The above tweet now shows additional information about the TFC 2021. Catalin Cimpanu has collected some more information about the contest in this The Records article. And there is now also an article at The Hacker News.