March 21, 2024 at 03:14AM
At Pwn2Own Vancouver 2024, contestants exploited zero-day vulnerabilities, earning over $1.3 million and a Tesla Model 3 car. The exploits targeted various platforms including Windows 11, Tesla, Ubuntu Linux, and web browsers. Vendors have 90 days to create security patches for reported flaws before public disclosure by Trend Micro’s Zero Day Initiative.
Pwn2Own Vancouver 2024 meeting notes highlights:
– Contestants demonstrated zero-day vulnerabilities and exploit chains on Windows 11, Tesla, and Ubuntu Linux to win significant cash prizes and a Tesla Model 3 car.
– Haboob SA’s Abdul Aziz Hariri earned $50,000 by using an Adobe Reader exploit on macOS.
– Synacktiv won a Tesla Model 3 and $200,000 by hacking the Tesla ECU using Vehicle (VEH) CAN BUS Control.
– Theori security researchers Gwangun Jung and Junoh Lee earned $130,000 after escaping a VMware Workstation VM to gain code execution as SYSTEM on the host Windows OS.
– Reverse Tactics’ Bruno PUJOS and Corentin BAYET collected $90,000 by exploiting two Oracle VirtualBox bugs and a Windows UAF to escape the VM and elevate privileges to SYSTEM.
– Manfred Paul won $102,500 by hacking the Apple Safari, Google Chrome, and Microsoft Edge web browsers.
– Other attempts included exploits targeting fully patched products in various categories, such as web browser, cloud-native/container, virtualization, enterprise applications, server, and automotive.
– Competitors were set to attempt to exploit zero-day bugs in Windows 11, VMware Workstation, Oracle VirtualBox, Mozilla Firefox, Ubuntu Desktop, Google Chrome, Docker Desktop, and Microsoft Edge on the second day.
– The top award for hacking a Tesla is $150,000, and the car itself. The maximum prize is $500,000 and a Tesla Model 3 car for an exploit that gives complete remote control with unconfined root when targeting the Tesla Autopilot.
– Last year’s Vancouver Pwn2Own saw hackers earning $1,035,000 and a Tesla car for 27 zero-days in various software and Tesla’s Model 3, with Synacktiv also successful in the first edition of Pwn2Own Automotive in January.
Feel free to reach out if further details or clarifications are needed.