Pwn2Own Day One

On the first day, Pwn2Own Vancouver 2023 hacking challenge participants compromised Windows 11, Tesla, macOS, and Ubuntu Desktop.

AbdulAziz Hariri of Haboob SA, who completed his attack against Adobe Reader utilizing a 6-bug logic chain leveraging many failed fixes that escaped the sandbox and overcame a banned API list, gave the first demonstration of the day. 5 Master of Pwn points and $50,000 are awarded to him.

Microsoft SharePoint was the target of a 2-bug chain that STAR Labs was able to run. They receive 10 Master of Pwn points and $100,000.

Oracle VirtualBox was exploited by Bien Pham (@bienpnn) of Qrious Security (@qriousec) via an OOB Read and a stacked-based buffer overflow. 4 Master of Pwn points and $40,000 are awarded to him.

Tesla – Gateway was the target of a TOCTOU attack by Synacktiv (@Synacktiv). They receive a Tesla Model 3 and $100,000, and 10 Master of Pwn points.

Although the exploit was already known, STAR Labs (@starlabs sg) was successful in its attack against Ubuntu Desktop. They still receive $15,000 in addition to 1.5 Master of Pwn points.

Marcin Wizowski used an improper input validation bug to elevate privileges on Windows 11. He receives $30,000 and 3 Master of Pwn points.

Synacktiv (@Synacktiv) escalated privileges on Apple macOS by exploiting a TOCTOU bug. They receive $40,000 as well as 4 Master of Pwn points.

Totally eight tries today, including a Tesla attack and a SharePoint RCE. All unique winning entries will be given the full prize money for this year’s competition.

As a result, hackers received $375,000 (along with a Tesla Model 3!) on the first day of the competition for 12 zero-day exploits.

Building Your Malware Defense Strategy – Download Free E-Book

Previous Coverage

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.