Hackers Exploited Ubuntu, Adobe Reader, Sharepoint, Tesla ECU & Oracle VM

This year’s Pwn2Own Vancouver 2024 event is expected to be the largest in Vancouver history, both in terms of entries and potential rewards.

The event’s victors will receive over $1,300,000 in cash and prizes, which include a Tesla Model 3.

The results of Pwn2Own Vancouver 2024’s first day have been released, and the hackers particularly hacked Oracle VM, Adobe Reader, Microsoft Sharepoint, Tesla ECU, and Ubuntu.

As of the end of Day 1, the winners have received $732,500 USD for 19 distinct 0 days. 

The Highlights Of Day 1

AbdulAziz Hariri of Haboob SA was able to launch the event by successfully executing their code execution attack against Adobe Reader.

He combined a Command Injection issue with an API Restriction Bypass. In addition to 5 Master of Pwn points, he receives $50,000.

The LPE attack against Windows 11 was successfully carried out by the DEVCORE Research Team.

They merged a few bugs, one of which was a TOCTOU race condition that may be dangerous. Three Master of Pwn points and $30,000 are theirs.

With just one UAF bug, Seunghyun Lee (@0x10n) of the KAIST Hacking Lab was able to execute their exploit of the Google Chrome web browser. They get six Master of Pwn points and $60,000.

Combining a heap-based buffer overflow, a UAF, and an uninitialized variable flaw, Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) from Theori (@theori_io) were able to escape VMware Workstation and run code as SYSTEM on the host Windows OS.

They receive $130,000 and 13 Master of Pwn points for their outstanding achievement.

Two Oracle VirtualBox issues, including a buffer overflow, were combined with a Windows UAF by Bruno PUJOS and Corentin BAYET from REverse Tactics (@Reverse_Tactics) to enable the guest OS to escape and run code as SYSTEM on the host OS.

They receive $90,000 and nine Master of Pwn points for this outstanding research.

The Synacktiv (@synacktiv) team exploited the Tesla ECU with Vehicle (VEH) CAN BUS Control by using a single integer overflow.

The winners receive a new Tesla Model 3 (their second!), $200,000, and 20 Master of Pwn points.

Manfred Paul (@_manfp) leverages a PAC bypass exploiting an Apple Safari vulnerability to obtain RCE on the browser via an integer underflow flaw.

He gains six Master of Pwn points and $60,000 for himself.

Oracle VirtualBox was exploited by Dungdm (@_piers2) of Viettel Cyber Security using two bugs, including the always dangerous race condition.

They get four Master of Pwn points and $20,000 as the round three winners.

That concludes Pwn2Own Vancouver 2024’s first day. Let’s see if Manfred Paul can catch up to Synacktive or if they can maintain their Master of Pwn lead.

Follow this link to view this highly competitive contest’s detailed itinerary. Additionally, you can find a comprehensive overview of the Pwn2Own Vancouver 2024 Day 1 results here.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.