On the primary day of Pwn2Own Vancouver 2023, safety researchers efficiently demoed Tesla Mannequin 3, Home windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Mannequin 3.
The primary to fall was Adobe Reader within the enterprise functions class after Haboob SA’s Abdul Aziz Hariri (@abdhariri) used an exploit chain focusing on a 6-bug logic chain abusing a number of failed patches which escaped the sandbox and bypassed a banned API checklist on macOS to earn $50,000.
The STAR Labs staff (@starlabs_sg) demoed a zero-day exploit chain focusing on Microsoft’s SharePoint staff collaboration platform that introduced them a $100,000 reward and efficiently hacked Ubuntu Desktop with a beforehand identified exploit for $15,000.
Synacktiv (@Synacktiv) took residence $100,000 and a Tesla Mannequin 3 after efficiently executing a TOCTOU (time-of-check to time-of-use) assault towards the Tesla – Gateway within the Automotive class. Additionally they used a TOCTOU zero-day vulnerability to escalate privileges on Apple macOS and earned $40,000.
Oracle VirtualBox was hacked utilizing an OOB Learn and a stacked-based buffer overflow exploit chain (price $40,000) by Qrious Safety’s Bien Pham (@bienpnn).
Final however not least, Marcin Wiązowski elevated privileges on Home windows 11 utilizing an improper enter validation zero-day that got here with a $30,000 prize.
That wraps up the primary day of #P2OVancouver 2023! We awarded $375,000 (and a Tesla Mannequin 3!) for 12 zero-days through the first day of the competition. Keep tuned for day two of the competition tomorrow! #Pwn2Own pic.twitter.com/UTvzqxmi8E
— Zero Day Initiative (@thezdi) March 22, 2023
All through the Pwn2Own Vancouver 2023 contest, safety researchers will goal merchandise in enterprise functions, enterprise communications, native escalation of privilege (EoP), server, virtualization, and automotive classes.
On the second day, Pwn2Own opponents will demo zero-day exploits focusing on Microsoft Groups, Oracle VirtualBox, the Tesla Mannequin 3 Infotainment Unconfined Root, and Ubuntu Desktop.
On the final day of the competition, safety researchers will set their targets once more on Ubuntu Desktop and try to hack Microsoft Groups, Home windows 11, and VMware Workstation.
Between March 22 and March 24, contestants can earn $1,080,000 in money and prizes, together with a Tesla Mannequin 3 automotive. The highest award for hacking a Tesla is now $150,000, and the automotive itself.
After zero-day vulnerabilities are demoed and disclosed throughout Pwn2Own, distributors have 90 days to create and launch safety fixes for all reported flaws earlier than Development Micro’s Zero Day Initiative publicly discloses them.
Throughout final yr’s Vancouver Pwn2Own contest, safety researchers earned $1,155,000 after hacking Home windows 11 six occasions, Ubuntu Desktop 4 occasions, and efficiently demonstrating three Microsoft Groups zero-days.
Additionally they reported a number of zero-days in Apple Safari, Oracle Virtualbox, and Mozilla Firefox and hacked the Tesla Mannequin 3 Infotainment System.