P0 0-Day in the Wild Tracking:

https://googleprojectzero.github.io/0days-in-the-wild/

https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/view#gid=0

Pwn2Own Bug Tracking

https://gist.github.com/ChiChou/ad9c4aa8546007b853a7a396ab4c12d3

Collator: Tom Ritter <tom@mozilla.com> - This is now unmaintained - Please be encouraged to fork and update (and let me know so I can point to it)

This list is of full-chain exploits found either in-the-wild or in an exploit contest. It doesn't include sandbox escapes reported to us by external researchers or found internally. It is 2018 - Feb 2021, excludes IE, and has a 2016 Tor Exploit and a P0 Example Chain

https://twitter.com/maddiestone/status/1357480448524308481

https://github.com/chromium/chromium/commit/cf054220a2e1570a9149220494de8826c2e9d4db

UAF in Site Isolation

https://github.com/v8/v8/commit/b1d9bbce51b8fc5205df53fad22d7f10a23870e4

https://bugzilla.mozilla.org/show_bug.cgi?id=1675905

https://twitter.com/n_b1a/status/1339494432534536193

https://twitter.com/TianfuCup/status/1324953113099268096

https://github.com/chromium/chromium/commit/f24c213293752250db05e11c5e4b77adce002d38

https://twitter.com/TianfuCup/status/1324953692378853377

Bugs could be among the many credited to Ant Security at https://support.apple.com/en-us/HT211931

Android-specific Heap overflow in UI

Heap buffer overflow in cng.sys IOCTL 0x390400

https://savannah.nongnu.org/bugs/?59308

https://bugzilla.mozilla.org/show_bug.cgi?id=1620818

https://bugzilla.mozilla.org/show_bug.cgi?id=1626728

We were told that this was paired with a Windows kernel bug for the escape

https://github.com/chromium/chromium/commit/7d25c6948d6e0fb55da2e8f637caa586f6c6be55

No information is available. Reported by anonymous, not even mentioned as being used in-the-wild by the release notes

No information is available. Reported by anonymous, not even mentioned as being used in-the-wild by the release notes

https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results

found as an actual 0day

https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html

https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping-chrome/

https://bugs.chromium.org/p/chromium/issues/detail?id=906043

independently discovered by tianfu cup 2018

independently discovered and disclosed

https://bugs.chromium.org/p/chromium/issues/detail?id=722756

independently discovered and disclosed

Windows Kernel Bug in CSRSS that targeted Windows 10

Windows kernel bug in font loader that targeted Windows 8.1 and below

Windows kernel bug in font loader that targeted Windows 8.1 and below

Android 1-days used to exploit kernel

https://bugzilla.mozilla.org/show_bug.cgi?id=1607443

A PAC script was loaded via a local network spoof that exploited the JIT bug in the parent

Windows improperly handles calls to Advanced Local Procedure Call (ALPC). Also applicable to Chrome

https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0834

https://github.com/chakra-core/ChakraCore/commit/7d32f335c3a9291ddccd0fb011ee1b11f3363176

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0830

https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0823

https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0831

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0793

Unclear why this exploit used four bugs. It might not have.

https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-1056

No sandbox escape, content process only

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0829

https://bugs.chromium.org/p/chromium/issues/detail?id=1024121

https://bugs.chromium.org/p/chromium/issues/detail?id=1024116

https://bugs.chromium.org/p/chromium/issues/detail?id=1025464

Unclear if or why the exploit used so many bugs

https://bugs.chromium.org/p/chromium/issues/detail?id=1025465

https://bugs.chromium.org/p/chromium/issues/detail?id=1025466

https://bugs.chromium.org/p/chromium/issues/detail?id=1025468

No sandbox escape: https://twitter.com/dmxcsnsbh/status/1195681907473711104

No sandbox escape

win32k bug that was only exploitable on win7

https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html

https://bugs.chromium.org/p/project-zero/issues/detail?id=1942

An Android privesc, reachable from inside the chromium sandbox, was discovered in the wild. No render exploit was found. Uncertain if this was a browser exploit, but likely.

https://bugzilla.mozilla.org/show_bug.cgi?id=1559858

Sending Prompt:Open from the child could cause the parent to open arbitrary webpages. Then you can re-exploit a JIT bug

https://bugzilla.mozilla.org/show_bug.cgi?id=1544386

Type Confusion. Collided with a P0 researcher

https://bugzilla.mozilla.org/show_bug.cgi?id=1559845

https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html

They reused this bug as a simple example, this exercise was about exploiting memory corruption over IPC

https://bugzilla.mozilla.org/show_bug.cgi?id=1539818

https://bugzilla.mozilla.org/show_bug.cgi?id=1538028

https://bugzilla.mozilla.org/show_bug.cgi?id=1538007

XUL injection through language pack installed via window.navigator.mozAddonManager

https://bugzilla.mozilla.org/show_bug.cgi?id=1538008

Signed a user into a Firefox account and synced over prefs that disabled the sandbox.

https://bugzilla.mozilla.org/show_bug.cgi?id=1538006

https://docs.google.com/document/d/1PeUquAAGegv-pcadvxK7S1T3bIQYYT7cNvHZ7Lsme9M/edit#heading=h.qyy1puxojvd9

https://bugzilla.mozilla.org/show_bug.cgi?id=1537924

Probably, but not for certain, the same one as Edge

Not clear how exactly, but this CVE seems involved. Maybe a variant of -1045

https://blog.exodusintel.com/2019/05/19/pwn2own-2019-microsoft-edge-renderer-exploitation-cve-2019-9999-part-1/

Content process can forge clicks via IPC and download/launch an arbitrary binary

https://blog.exodusintel.com/2019/05/27/pwn2own-2019-microsoft-edge-sandbox-escape-cve-2019-0938-part-2/

https://www.thezdi.com/blog/2019/3/20/pwn2own-vancouver-2019-day-one-results

apparently apple already knew this bug so determining which it is is very difficult

https://phoenhex.re/2019-05-26/attribution-is-hard-at-least-for-dock

https://github.com/exodusintel/CVE-2019-0808

exploit only targeted Windows 7

https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html

https://bugs.chromium.org/p/chromium/issues/detail?id=906043

Note that this bug was independently found and used in both Tianfu Cup and the in-the-wild watering hole attack

https://github.com/vngkv123/aSiagaming/tree/master/Chrome-v8-906043

There is no evidence of a Chrome-based sandbox escape being used in this contest at all

There is evidence that no sandbox escape was used at all. https://securityaffairs.co/wordpress/78210/hacking/tianfu-cup-pwn.html and https://gbhackers.com/tianfu-cup-2018-pwn/ say '$150k for 2 chrome exploits, and the contest rules say a Chrome bug was $100k or $150k for a full chain w/ escape

https://bugs.chromium.org/p/chromium/issues/detail?id=905940

https://docs.google.com/document/d/1la9B_8rarsDkHRVeAUiwr6dT7vgikQe_zeTX47VYExE/edit#

https://bugzilla.mozilla.org/show_bug.cgi?id=1493903

https://bugzilla.mozilla.org/show_bug.cgi?id=1493900

We believe there was a sandbox escape, but we did not receive it. We believe it was a Windows kernel bug

https://bugs.chromium.org/p/chromium/issues/detail?id=888923

https://bugs.chromium.org/p/chromium/issues/detail?id=888926

https://bugzilla.mozilla.org/show_bug.cgi?id=1446062

https://docs.google.com/document/d/1GfngbrLr_P2X8VK54il7dmZZ31P8vqSpnhGCqwbvtcU/edit

http://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/

http://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/

https://labs.f-secure.com/assets/BlogFiles/mwri-t2-big-game-fuzzing-pwn2own-safari-final.pdf

exploit did not succeed during contest but zdi bought anyway