On the first day, Pwn2Own Vancouver 2023 hacking challenge participants compromised Windows 11, Tesla, macOS, and Ubuntu Desktop.
AbdulAziz Hariri of Haboob SA, who completed his attack against Adobe Reader utilizing a 6-bug logic chain leveraging many failed fixes that escaped the sandbox and overcame a banned API list, gave the first demonstration of the day. 5 Master of Pwn points and $50,000 are awarded to him.
Microsoft SharePoint was the target of a 2-bug chain that STAR Labs was able to run. They receive 10 Master of Pwn points and $100,000.
Oracle VirtualBox was exploited by Bien Pham (@bienpnn) of Qrious Security (@qriousec) via an OOB Read and a stacked-based buffer overflow. 4 Master of Pwn points and $40,000 are awarded to him.
Tesla – Gateway was the target of a TOCTOU attack by Synacktiv (@Synacktiv). They receive a Tesla Model 3 and $100,000, and 10 Master of Pwn points.
Although the exploit was already known, STAR Labs (@starlabs sg) was successful in its attack against Ubuntu Desktop. They still receive $15,000 in addition to 1.5 Master of Pwn points.
Marcin Wizowski used an improper input validation bug to elevate privileges on Windows 11. He receives $30,000 and 3 Master of Pwn points.
Synacktiv (@Synacktiv) escalated privileges on Apple macOS by exploiting a TOCTOU bug. They receive $40,000 as well as 4 Master of Pwn points.
Totally eight tries today, including a Tesla attack and a SharePoint RCE. All unique winning entries will be given the full prize money for this year’s competition.
As a result, hackers received $375,000 (along with a Tesla Model 3!) on the first day of the competition for 12 zero-day exploits.
Building Your Malware Defense Strategy – Download Free E-Book