On day one of Pwn2Own Vancouver 2023, security researchers successfully demonstrated Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model 3.
The first to fall was Adobe Reader in the category of enterprise applications after Abdul Aziz Hariri of Haboob SA (@abdhariri) used an exploit chain targeting a 6-bug logical chain abusing multiple faulty patches that escaped the sandbox and bypassed a list of banned APIs on macOS to earn $50,000.
The STAR Labs team (@starlabs_sg) demonstrated a zero-day exploit chain targeting Microsoft’s SharePoint team collaboration platform that landed them a $100,000 reward and successfully hacked Ubuntu Desktop with an already known exploit for $15,000.
Synacktiv (@Synacktiv) won $100,000 and a Tesla Model 3 after successfully executing a time-of-check to time-of-use (TOCTOU) attack against the Tesla-Gateway in the automotive category. They also used a TOCTOU zero-day vulnerability to elevate privileges on Apple macOS and won $40,000.
Oracle VirtualBox was hacked using an OOB read and stacked buffer overflow exploit chain (worth $40,000) by Bien Pham of Qrious Security (@bienpnn).
Last but not least, Marcin Wiązowski escalated privileges on Windows 11 using incorrect zero-day input validation accompanied by a $30,000 prize.
This concludes the first day of #P2OVancouver 2023! We awarded $375,000 (and a Tesla Model 3!) for 12 Days Zero during the first day of the contest. Stay tuned for day two of the contest tomorrow! #Pwn2Own pic.twitter.com/UTvzqxmi8E
— Zero Day Initiative (@thezdi) March 22, 2023
Throughout the Pwn2Own Vancouver 2023 Contestsecurity researchers will target the products in enterprise applications, enterprise communications, local elevation of privilege (EoP), servers, virtualization, and automotive categories.
On day two, Pwn2Own competitors will demonstrate zero-day exploits targeting Microsoft Teams, Oracle VirtualBox, Tesla Model 3 Infotainment Unconfined Root, and Ubuntu Desktop.
On the final day of the competition, security researchers will once again set their sights on Ubuntu Desktop and attempt to hack Microsoft Teams, Windows 11, and VMware Workstation.
Between March 22 and 24, participants can win $1,080,000 in cash and prizes, including a Tesla Model 3 car. The highest prize for hacking a Tesla is now $150,000, and the car itself.
After demonstrating and disclosing zero-day vulnerabilities during Pwn2Own, vendors have 90 days to create and release security patches for all reported vulnerabilities before Trend Micro’s Zero Day initiative publicly discloses them.
In last year’s Vancouver Pwn2Own contestsecurity researchers have won $1,155,000 after hacking Windows 11 six times, Ubuntu Desktop four times and successfully demonstrating Microsoft Teams three zero days.
They also reported multiple zero days in Apple Safari, Oracle Virtualbox and Mozilla Firefox and hacked the Tesla Model 3 infotainment system.