During the second day of Pwn2Own Vancouver 2023, rivals have been awarded $475,000 after efficiently exploiting 10 zero-days in a number of merchandise.
The record of hacked targets included the Tesla Model 3, Microsoft’s Teams communication platform, the Oracle VirtualBox virtualization platform, and the Ubuntu Desktop working system.
The second day’s spotlight was a profitable try from Synacktiv’s David Berard (@_p0ly_) and Vincent Dehors (@vdehors) in opposition to the Tesla – Infotainment Unconfined Root.
This earned them $250,000 and allowed them to take house a Tesla Model 3 after hacking through a heap overflow and an OOB write exploit chain.
Synacktiv’s Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) additionally efficiently exploited a three-bug chain to escalate privileges on an Oracle VirtualBox host to earn $80,000.
On a 3rd try from Synacktiv, Tanguy Dubroca (@SidewayRE) was awarded $30,000 for demoing an incorrect pointer scaling zero-day resulting in privilege escalation on Ubuntu Desktop.
Team Viettel (@vcslab) hacked additionally Microsoft Teams through a 2-bug chain to earn $78,000 and Oracle’s VirtualBox utilizing a Use-After-Free (UAF) bug and an uninitialized variable for $40,000.
On the primary day, Pwn2Own rivals have been awarded $375,000 and a Tesla Model 3 after efficiently demoing 12 zero-days within the Tesla Model 3, Windows 11, Microsoft SharePoint, Oracle VirtualBox, and macOS.
On the final day of the competition, safety researchers will try to take advantage of zero-day bugs in Ubuntu Desktop, Microsoft Teams, Windows 11, and VMware Workstation.
Pwn2Own Vancouver 2023 contestants can earn $1,080,000 in money and two Tesla Model 3 automobiles between March 22 and March 24.
Researchers will goal merchandise from a number of classes through the contest, together with enterprise purposes, enterprise communications, servers, virtualization, automotive, and native escalation of privilege (EoP).
That concludes Day 2 of #P2OVancouver – we awarded $475,000 for 10 distinctive zero-days right this moment, bringing the entire awarded to $850,000! Stay tuned tomorrow for the ultimate day of the competitors. #Pwn2Own pic.twitter.com/EtMnP4Ree5
— Zero Day Initiative (@thezdi) March 23, 2023
“This year’s event promises some exciting research as we have 19 entries targeting nine different targets – including two Tesla attempts,” ZDI stated.
“For this year’s event, every round will pay full price, which means if all exploits succeed, we’ll award over $1,000,000 USD.”
Vendors should patch zero-day vulnerabilities demoed and disclosed throughout Pwn2Own inside 90 days earlier than Trend Micro’s Zero Day Initiative publicly publishes technical particulars.
At Pwn2Own Vancouver 2022, safety researchers earned $1,155,000 after hacking the Tesla Model 3 Infotainment System, taking down Windows 11 six occasions, demonstrating three Microsoft Teams zero-days, and exploiting Ubuntu Desktop 4 occasions.