On day two of Pwn2Own Vancouver 2023, competitors were awarded $475,000 after successfully running 10 zero days across multiple products.

The list of hacked targets included the Tesla Model 3, Microsoft’s Teams communications platform, the Oracle VirtualBox virtualization platform, and the Ubuntu Desktop operating system.

The highlight of the second day was a successful attempt by Synacktiv’s David Berard (@_p0ly_) and Vincent Dehors (@voutside) vs. Tesla – Infotainment Uncontained Root.

This earned them $250,000 and allowed them to take home a Tesla Model 3 after hacking through a heap overflow and an OOB write exploit chain.

Thomas Imbert of Synacktiv (@masthoon) and Thomas Bouzerar (@MajorTomSec) also successfully exploited a chain of three bugs to elevate privileges on an Oracle VirtualBox host to earn $80,000.

On a third attempt by Synacktiv, Tanguy Dubroca (@SidewayRE) was awarded $30,000 for demonstrating an incorrect zero-day scaling pointer leading to privilege escalation on Ubuntu Desktop.

Synacktiv’s Tesla Infotainment (ZDI) zero-day demo

The Viettel team (@vcslab) also hacked Microsoft Teams via a 2-bug chain for $78,000 and Oracle’s VirtualBox using a Use-After-Free (UAF) bug and an uninitialized variable for $40,000.

First dayPwn2Own competitors received $375,000 and a Tesla Model 3 after successfully demonstrating 12 days zero in the Tesla Model 3, Windows 11, Microsoft SharePoint, Oracle VirtualBox and macOS.

On the final day of the contest, security researchers will attempt to exploit zero-day bugs in Ubuntu Desktop, Microsoft Teams, Windows 11, and VMware Workstation.

Pwn2Own Vancouver 2023 contestants can win $1,080,000 in cash and two Tesla Model 3 cars between March 22 and March 24.

​Researchers will target the products of several categories during the contest, including enterprise applications, enterprise communications, servers, virtualization, automotive, and local elevation of privilege (EoP).

“This year’s event promises some exciting research as we have 19 entries targeting nine different targets – including two Tesla attempts,” ZDI said.

“For this year’s event, every round will pay full price, which means if all achievements are successful, we will award over $1,000,000.”

Vendors must patch zero-day vulnerabilities demonstrated and disclosed during Pwn2Own within 90 days before Trend Micro’s Zero Day initiative publicly releases the technical details.

At Pwn2Own Vancouver 2022security researchers have won $1,155,000 after hacking the Tesla Model 3 infotainment system, destroying Windows 11 six times, demonstrating Microsoft Teams three zero days and exploiting Ubuntu Desktop four times.


Source link