Pwn2Own Vancouver 2023: Zero-Day Exploits Revealed for Tesla Model 3, Windows 11, and macOS
Synacktiv Strikes Gold with Tesla TOCTOU Attack and macOS Privilege Escalation
At Pwn2Own Vancouver 2023, security researchers brought their A-game, demonstrating zero-day exploits and exploit chains for some of the most popular products in enterprise applications, enterprise communications, local escalation of privilege (EoP), server, virtualization, and automotive categories. The event took place between March 22 and March 24, with contestants vying for $1,080,000 in cash and prizes, including a Tesla Model 3 car.
The first day of the contest saw Adobe Reader fall victim to a six-bug logic chain exploit chain that allowed Abdul Aziz Hariri of Haboob SA to bypass a banned API list on macOS and earn $50,000. STAR Labs targeted Microsoft’s SharePoint team collaboration platform with their zero-day exploit chain and won $100,000. They also successfully hacked Ubuntu Desktop with a previously known exploit, earning $15,000. Synacktiv won $100,000 and a Tesla Model 3 after successfully executing a TOCTOU attack against the Tesla Gateway in the Automotive category. They also managed to escalate privileges on Apple macOS and earned $40,000.
That wraps up the first day of #P2OVancouver 2023! We awarded $375,000 (and a Tesla Model 3!) for 12 zero-days during the first day of the contest. Stay tuned for day two of the contest tomorrow! #Pwn2Own pic.twitter.com/UTvzqxmi8E
— Zero Day Initiative (@thezdi) March 22, 2023
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Qrious Security Cracks Oracle VirtualBox with OOB Read and Buffer Overflow
Qrious Security’s Bien Pham also had his day at the event, hacking Oracle VirtualBox using an OOB Read and a stacked-based buffer overflow exploit chain, which earned him $40,000. Marcin Wiązowski hacked Windows 11 using an improper input validation zero-day, which came with a $30,000 prize.
The second day of the contest targeted Microsoft Teams, Oracle VirtualBox, the Tesla Model 3 Infotainment Unconfined Root, and Ubuntu Desktop. On the final day of the event, researchers attempted to hack Microsoft Teams, Windows 11, VMware Workstation, and Ubuntu Desktop.
Trending: A primer on OS Command Injection Attacks
Contestants Aim to Apple Safari, Mozilla, VirtualBox, and more
After the event, vendors have 90 days to create and release security fixes for all reported flaws before Trend Micro’s Zero Day Initiative publicly discloses them. Last year’s Vancouver Pwn2Own contest saw security researchers earn $1,155,000 after hacking Windows 11 six times, Ubuntu Desktop four times, and successfully demonstrating three Microsoft Teams zero-days. They also reported several zero-days in Apple Safari, Oracle Virtualbox, and Mozilla Firefox, and hacked the Tesla Model 3 Infotainment System. With Pwn2Own Vancouver 2023 raising the stakes even higher, the security community eagerly awaits next year’s event.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
