On day three of the Pwn2Own hacking contest, security researchers were awarded $185,000 after demonstrating 5 zero-day exploits targeting Windows 11, Ubuntu Desktop, and VMware Workstation virtualization software.
The highlight of the day was the hacking of the Ubuntu Desktop operating system three times by three different teams, although one of them was a collision with the already known exploit.
The three working Ubuntu zero-day releases were presented by ASU SEFCOM’s Kyle Zeng (a free double bug), Theori’s Mingi Cho (a Use-After-Free vulnerability), and Bien Pham (@bienpnn) from Qrious Security.
While the first two each received $30,000 for their zero-day exploits, Pham only earned $15,000 due to a bug collision.
A fully patched Windows 11 system has been hacked again at Pwn2Own, with Thomas Imbert (@masthoon) from Synacktiv (@Synacktiv) winning $30,000 for a Use-After-Free (UAF) bug.
Last but not least, STAR Labs (@starlabs_sg) used an uninitialized variable and a UAF exploit chain against VMWare Workstation for an $80,000 reward.
First dayPwn2Own Vancouver 2023 participants won $375,000 and a Tesla Model 3 after demonstrating 12 days zero in the Tesla Model 3, Windows 11, Microsoft SharePoint, Oracle VirtualBox and macOS.
During The second daycompetitors received $475,000 after exploiting 10 zero days in multiple products, including Windows 11, Tesla, Ubuntu and macOS.
That brings the total to $1,035,000 and a car rewarded for 27 zero-day feats in demonstration over the three days this year Pwn2Own Vancouver 2023 competition.
The winners of the contest are Synacktiv, who won $530,000 and a Tesla Model 3 car for their exploits.
It is a wrap for #P2OVancouver! Participants disclosed 270 unique days and won a total of $1,035,000 (and a car)! Congratulations Pwn Masters, @Synacktiv, for their huge success and hard work! They won 53 points, $530,000 and a Tesla Model 3. #Pwn2Own pic.twitter.com/xtd0cdjGC3
— Zero Day Initiative (@thezdi) March 24, 2023
AT Pwn2Own Vancouver 2023security researchers targeted software across multiple categories, including automotive, enterprise applications and communications, servers, virtualization, and local elevation of privilege (EoP).
“For this year’s event, every round will pay full price, which means if all achievements are successful, we will award over $1,000,000,” said.
Vendors have 90 days to fix zero-day bugs presented and disclosed at Pwn2Own before Trend Micro’s Zero Day initiative releases technical details.
Last year Pwn2Own Vancouver hacking contest, researchers received $1,155,000 after hacking into the Tesla Model 3 infotainment system and destroying Windows 11, Microsoft Teams, and Ubuntu Desktop using several zero-day bugs and exploit chains.
