Following the conclusion of Pwn2Own Vancouver 2023, competitors received $1,035,000 and a Tesla Model 3 for exploiting 27 zero-day vulnerabilities between March 22 and March 24. Security researchers targeted devices in the enterprise applications and communications, the local elevation of privilege (EoP), virtualization, servers, and automotive categories during the hacking competition, all of which were current and configured according to default.
Almost $1,000,000 in cash and a Tesla Model 3 were awarded as part of the Pwn2Own Vancouver 2023 prize pool, which Team Synacktiv won. Following successful hacking attempts against (Windows 11, Microsoft Teams, Microsoft SharePoint, macOS, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and, of course, the Tesla Model 3) the hackers were able to elevate their privileges and acquire code execution on fully patched systems.
Vendors have 90 days to deliver security updates after Pwn2Own when zero-day vulnerabilities are exploited and disclosed before TrendMicro’s Zero Day Initiative makes them public.
Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) of Synacktiv won $80,000 for demonstrating a three-bug chain that allowed them to escalate their privileges on an Oracle VirtualBox host, and Tanguy Dubroca (@SidewayRE) won $30,000 for a wrong pointer scaling zero-day that allowed privilege escalation on Ubuntu Desktop.
On the third day of the competition, Thomas Imbert (@masthoon) of Synacktiv successfully compromised a Windows 11 system that had been fully patched in order to win $30,000 for a Use-After-Free (UAF) zero-day.
The STAR Labs Team also received $195,000 for exploiting vulnerabilities in Microsoft Teams and Oracle VirtualBox, while Team Viettel received $115,000 for breaking into Microsoft Teams and VMWare Workstation.
Researchers won $1,155,000 and a car in the Pwn2Own Vancouver hacking competition last May 2022 after taking down Windows 11, Ubuntu Desktop, Microsoft Teams, and other systems using several zero-day bugs and exploit chains.
What is Pwn2Own?
Every year, Trend Micro’s Zero Day Initiative (ZDI) hosts Pwn2Own, a hacking contest in which ethical hackers, cybersecurity professionals, and a number of other competitors compete.
In the Pwn2Own hacking competition, security researchers demonstrate their expertise and reveal significant zero-day vulnerabilities to tech companies by hacking the newest and most popular mobile devices. The exploited equipment, as well as cash prizes, are awarded to contest winners.
Vendors have 90 days after the hacking event to patch any zero-day vulnerabilities that were demonstrated and made public during the Pwn2Own. Regardless of the fix status, ZDI makes the defects publicly known once the deadline has passed.
Day One
Haboob SA (@HaboobSaAbdulAziz )’s Hariri (@abdhariri) finished his assault against Adobe Reader using a 6-bug logic chain that exploited numerous failed patches that escaped the sandbox and got around a prohibited API list. 5 Master of Pwn points and $50,000 are awarded to him.
Last-minute-pwnie was unable to get their Ubuntu to exploit up and running in the allocated time. STAR Labs (@starlabs sg) successfully used a two-bug chain to attack Microsoft SharePoint. They receive ten Master of Pwn points and $100,000.
Using an OOB Read and a stacked-based buffer overflow, Bien Pham (@bienpnn) of Qrious Security (@qriousec) successfully exploited Oracle VirtualBox. 4 Master of Pwn points and $40,000 were awarded to him. Synacktiv’s (@Synacktiv) TOCTOU assault against Tesla-Gateway was successful. They receive a Tesla Model 3 and $100,000, and 10 Master of Pwn points.
COLLISION – Although the exploit was already known, STAR Labs (@starlabs sg) successfully carried out their assault against Ubuntu Desktop. Still, they receive $15,000 and 1.5 Master of Pwn points.
Marcin Wizowski was successful in gaining elevated privileges on Windows 11 by abusing a flaw in input validation. $30k and 3 Master of Pwn points are his rewards.
Synacktiv (@Synacktiv) elevated privileges on Apple macOS via a TOCTOU flaw. They receive $40,000 in addition to 4 Master of Pwn points.
The first day of Pwn2Own Vancouver 2023 has come to an end. On the first day of the competition, we gave away $375,000 (along with a Tesla Model 3!) for 12 zero days.
Day Two
Thomas Bouzerar (@MajorTomSec) and Thomas Imbert (@masthoon) from Synacktiv (@Synacktiv) showed a three-bug chain against Oracle VirtualBox with a Host EoP. There has already been one problem reported. In addition, they receive 8 Master of Pwn points and $80,000.
Team Viettel’s (@vcslab) @hoangnx99, @rskvp93, and @ q5ca attempted to compromise Microsoft Teams using a 2-bug chain. 75,000 dollars and 8 Master of Pwn points are awarded.
David Berard (@ p0ly_) and Vincent Dehors (@vdehors) from Synacktiv (@Synacktiv) successfully exploited the Tesla – Infotainment Unconfined Root by using a heap overflow and an OOB write. After collecting $250,000 and 25 Master of Pwn points, they are eligible for a Tier 2 reward.
Oracle VirtualBox was successfully exploited by dungdm (@ piers2) of Team Viettel (@vcslab) using an uninitialized variable and a UAF flaw. They receive $40,000 in addition to 4 Master of Pwn points.
On the Ubuntu Desktop, Tanguy Dubroca (@SidewayRE) of Synacktiv (@Synacktiv) employed an erroneous pointer scaling that resulted in privilege escalation. $30k and 3 Master of Pwn points are theirs to keep.
Day Three
Pwn2Own Vancouver is now over! Participants revealed 27 different zero-days and won a total of $1,035,000 (plus a car)! Synacktiv (@Synacktiv), the Masters of Pwn! They received a Tesla Model 3 and 53 points, along with $530,000.
Team Synacktiv members include Tanguy Dubroca, Thomas Bouzerar, David Berard, Eloi Benoist-Vanderbeken, and Thomas Imbert. Also, they will be granted Platinum status in 2024 and a $25,000 incentive.
Kyle Zeng from ASU SEFCOM successfully exploited Ubuntu Desktop using a double-free flaw. $30k and 3 Master of Pwn points are his rewards.
STAR Labs was unable to exploit Microsoft Teams in the allocated time successfully. Thomas Imbert from Synacktiv (@Synacktiv) successfully used a UAF against Microsoft Windows 11 (@masthoon). $30k and 3 Master of Pwn points are theirs to keep.
Theori’s Mingi Cho used a UAF to defeat Ubuntu Desktop. $30k and 3 Master of Pwn points are theirs to keep. STAR Labs (@starlabs sg) successfully leveraged a UAF and uninitialized variable against a VMware Workstation. They receive $80,000 in addition to 8 Master of Pwn points.
Bien Pham (@bienpnn) of Qrious Security successfully attacked Ubuntu Desktop. However, the hack was already public knowledge. Still, they receive $15,000 and 1.5 Master of Pwn points.
Conclusion
Participants in the three-day Pwn2Own Vancouver 2023 hacking competition revealed 27 original zero-day exploits and took home a car, $1,035,000 in total, as prizes. Offensive security company Synacktiv (@Synacktiv) took first place and won the title of Masters of Pwn on the leaderboard. They achieved this feat by earning 53 points, $530,000, and a Tesla Model 3 for their efforts. In addition, they achieved Platinum status in 2024 and a $25,000 incentive. Security researchers were given $1,155,000 at the Pwn2Own Vancouver 2022 competition last year for exploiting various zero-day defects and exploited chains to attack the Tesla Model 3’s infotainment system and Microsoft Teams, Windows 11, and Ubuntu Desktop.
