[ad_1]
During the second day of Pwn2Own Vancouver 2023, rivals had been awarded $475,000 after efficiently exploiting 10 zero-days in a number of merchandise.
The record of hacked targets included the Tesla Model 3, Microsoft’s Teams communication platform, the Oracle VirtualBox virtualization platform, and the Ubuntu Desktop working system.
The second day’s spotlight was a profitable try from Synacktiv’s David Berard (@_p0ly_) and Vincent Dehors (@vdehors) towards the Tesla – Infotainment Unconfined Root.
This earned them $250,000 and allowed them to take dwelling a Tesla Model 3 after hacking through a heap overflow and an OOB write exploit chain.
Synacktiv’s Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) additionally efficiently exploited a three-bug chain to escalate privileges on an Oracle VirtualBox host to earn $80,000.
On a 3rd try from Synacktiv, Tanguy Dubroca (@SidewayRE) was awarded $30,000 for demoing an incorrect pointer scaling zero-day resulting in privilege escalation on Ubuntu Desktop.
Team Viettel (@vcslab) hacked additionally Microsoft Teams through a 2-bug chain to earn $78,000 and Oracle’s VirtualBox utilizing a Use-After-Free (UAF) bug and an uninitialized variable for $40,000.
On the primary day, Pwn2Own rivals had been awarded $375,000 and a Tesla Model 3 after efficiently demoing 12 zero-days within the Tesla Model 3, Windows 11, Microsoft SharePoint, Oracle VirtualBox, and macOS.
On the final day of the competition, safety researchers will try to take advantage of zero-day bugs in Ubuntu Desktop, Microsoft Teams, Windows 11, and VMware Workstation.
Pwn2Own Vancouver 2023 contestants can earn $1,080,000 in money and two Tesla Model 3 vehicles between March 22 and March 24.
Researchers will goal merchandise from a number of classes in the course of the contest, together with enterprise purposes, enterprise communications, servers, virtualization, automotive, and native escalation of privilege (EoP).
That concludes Day 2 of #P2OVancouver – we awarded $475,000 for 10 distinctive zero-days at present, bringing the whole awarded to $850,000! Stay tuned tomorrow for the ultimate day of the competitors. #Pwn2Own pic.twitter.com/EtMnP4Ree5
— Zero Day Initiative (@thezdi) March 23, 2023
“This yr’s occasion guarantees some thrilling analysis as we now have 19 entries focusing on 9 completely different targets – together with two Tesla makes an attempt,” ZDI mentioned.
“For this yr’s occasion, each spherical can pay full worth, which suggests if all exploits succeed, we’ll award over $1,000,000 USD.”
Vendors should patch zero-day vulnerabilities demoed and disclosed throughout Pwn2Own inside 90 days earlier than Trend Micro’s Zero Day Initiative publicly publishes technical particulars.
At Pwn2Own Vancouver 2022, safety researchers earned $1,155,000 after hacking the Tesla Model 3 Infotainment System, taking down Windows 11 six occasions, demonstrating three Microsoft Teams zero-days, and exploiting Ubuntu Desktop 4 occasions.