Today is the first day of Pwn2OwnVancouver2024, where contestants demonstrated 19 zero-day vulnerabilities in Windows 11, Tesla, Ubuntu Linux and other devices and software to win $732,500 and a Tesla Model 3 car.
At the beginning of the competition, Abdul Aziz Hariri of HaboobSA won $50,000 by exploiting an Adobe Reader vulnerability, combining an API restriction bypass and a command injection vulnerability to execute code on macOS.
Synacktiv used the integer overflow function to invade the Tesla ECU with vehicle (VEH) CAN bus control function within 30 seconds, winning a Tesla Model 3 and a $200,000 prize.
Theori security researchers Gwangun Jung and Junoh Lee made $130,000 by exploiting a chain targeting an uninitialized variable vulnerability, a UAF vulnerability, and a heap-based buffer overflow to escape a VMware Workstation virtual machine and execute code as SYSTEM on the host Windows operating system.
ReverseTactics' BrunoPUJOS and CorentinBAYET exploited two OracleVirtualBox vulnerabilities and a Windows UAF to escape a virtual machine and escalate privileges to SYSTEM, earning $90,000.
At the end of the first day of the competition, Manfred Paul hacked into Apple's Safari, Google Chrome and Microsoft Edge web browsers and exploited three zero-day vulnerabilities to win $102,500.
Other first-day attempts at Pwn2Own include:
The DEVCORE research team exploited two vulnerabilities, including a TOCTAU race condition, to escalate privileges to SYSTEM on a fully patched Windows 11 system, resulting in a $30,000 bounty. They also received a $10,000 bounty for demonstrating a known local privilege escalation (LPE) vulnerability in Ubuntu Linux.
Seunghyun Lee of KAIST Hacking Lab exploited the Use After Free (UAF) vulnerability to hack into the Google Chrome browser and made a profit of $60,000.
Kyle Zeng from ASUSEFCOM demonstrated another LPE exploit targeting Ubuntu Linux through competition conditions, earning $20,000.
Cody Gallagher also won $20,000 for an OracleVirtualBox out-of-bounds (OOB) write zero-day vulnerability.
Viettel cybersecurity firm's Dungdm also exploited two vulnerability chains to break into Oracle's VirtualBox for $20,000.
After Pwn2Own demonstrates a zero-day vulnerability, the vendor has 90 days to create and release security patches for all reported vulnerabilities before they are publicly disclosed by Trend Micro's zero-day program.
Throughout Pwn2OwnVancouver2024, security researchers will be researching fully patched products in categories such as web browsers, cloud native/containers, virtualization, enterprise applications, servers, escalation of privilege (EoP), enterprise communications, and automotive.
The next day, Pwn2Own competitors will try to exploit zero-day vulnerabilities in Windows 11, VMware Workstation, Oracle Virtual Box, Mozilla Firefox, Ubuntu Desktop, Google Chrome, Docker Desktop, and Microsoft Edge.
After two days of hacking competition, hackers can win more than $1.3 million in prizes, including a Tesla Model 3 car. Right now, the top reward for hacking a Tesla is $150,000 and the car itself.
Contestants who can achieve full remote control in Tesla's autonomous driving system without root restrictions can win a prize of up to $500,000 and a Tesla Model 3 car.
They are also eligible for a $300,000 reward for exploiting a Windows kernel vulnerability, as they were able to successfully escape from the Hyper-V client to the host and perform privilege escalation on the host operating system.
In last year's Vancouver Pwn2Own competition, won by the Synacktiv team, hackers gained $1,035,000 and a Tesla car by hacking 27 zero-days (and a few bug collisions) in Windows 11, Microsoft Teams, Microsoft SharePoint, macOS, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and Tesla Model 3.
Synacktiv also hacked into the Tesla modem and infotainment system at the first Pwn2Own Automotive conference in January this year, gained root access to the Tesla modem through three zero-day vulnerability chains, and demonstrated sandbox escape of the infotainment system through two zero-day vulnerability chains.