March 22, 2024 at 01:13AM
Pwn2Own Vancouver 2024 concluded with security researchers earning $1,132,500 by demonstrating 29 zero-day vulnerabilities across various categories, including web browsers, cloud-native/container, virtualization, enterprise applications, and automotive products. Notably, Manfred Paul and Team Synacktiv emerged as top performers by exploiting various software and winning cash prizes and a Tesla Model 3.
The key takeaways from the meeting notes are:
– Pwn2Own Vancouver 2024 concluded with security researchers collecting $1,132,500 after demoing 29 zero-day vulnerabilities and some bug collisions.
– The event targeted various software and products in categories including web browser, cloud-native/container, virtualization, enterprise applications, server, local escalation of privilege (EoP), enterprise communications, and automotive, all up-to-date and in their default configuration.
– The total prize pool was over $1,300,000 in cash prizes and a Tesla Model 3, won by Team Synacktiv on the first day.
– Competitors successfully gained code execution and escalated privileges on fully patched systems by targeting Windows 11, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, three web browsers (Apple Safari, Google Chrome, and Microsoft Edge), and the Tesla Model 3.
– Vendors have 90 days to release security fixes for zero-day vulnerabilities reported during Pwn2Own contests before TrendMicro’s Zero Day Initiative discloses them publicly.
– ZDI has awarded $3,494,750 during the last three Pwn2Own hacking contests (Toronto, Tokyo Automotive, and Vancouver).
– Manfred Paul won this year’s edition of Pwn2Own Vancouver with 25 Master of Pwn points and $202,500 earned after hacking the Apple Safari, Google Chrome, and Microsoft Edge web browsers.
– Synacktiv also made highlights after winning a Tesla Model 3 car and $200,000 after hacking the Tesla ECU with Vehicle (VEH) CAN BUS Control.
– Other successful attempts and bug collisions include various Windows 11 privilege escalation exploits, VMware Workstation RCE and Ubuntu Linux privilege escalation exploits, Chrome and Edge hacking, Oracle VirtualBox guest-to-host escape exploit, and privilege escalation on Ubuntu Linux.