Home windows 11, Tesla, Ubuntu, and macOS hacked at Pwn2Own 2023
On the essential day of Pwn2Own Vancouver 2023, security researchers efficiently demoed Tesla Mannequin 3, Home windows 11, and macOS zero-day exploits and exploit chains to do away with $375,000 and a Tesla Mannequin 3.
The first to tumble used to be Adobe Reader in the venture purposes category after Haboob SA’s Abdul Aziz Hariri (@abdhariri) outmoded an exploit chain focused on a 6-computer virus logic chain abusing a pair of failed patches which escaped the sandbox and bypassed a banned API checklist on macOS to assign $50,000.
The STAR Labs team (@starlabs_sg) demoed a nil-day exploit chain focused on Microsoft’s SharePoint team collaboration platform that introduced them a $100,000 reward and efficiently hacked Ubuntu Desktop with a beforehand known exploit for $15,000.
Synacktiv (@Synacktiv) took house $100,000 and a Tesla Mannequin 3 after efficiently executing a TOCTOU (time-of-test to time-of-enlighten) attack in opposition to the Tesla – Gateway in the Car category. They additionally outmoded a TOCTOU zero-day vulnerability to escalate privileges on Apple macOS and earned $40,000.
Oracle VirtualBox used to be hacked utilizing an OOB Learn and a stacked-primarily based buffer overflow exploit chain (worth $40,000) by Qrious Security’s Bien Pham (@bienpnn).
Last however no longer least, Marcin Wiązowski elevated privileges on Home windows 11 utilizing an noxious enter validation zero-day that got here with a $30,000 prize.
That wraps up the essential day of #P2OVancouver 2023! We awarded $375,000 (and a Tesla Mannequin 3!) for 12 zero-days all the blueprint through the essential day of the contest. Preserve tuned for day two of the contest the next day to come! #Pwn2Own pic.twitter.com/UTvzqxmi8E
— Zero Day Initiative (@thezdi) March 22, 2023
All around the Pwn2Own Vancouver 2023 contest, security researchers will purpose merchandise in venture purposes, venture communications, local escalation of privilege (EoP), server, virtualization, and car categories.
On the 2d day, Pwn2Own opponents will demo zero-day exploits focused on Microsoft Groups, Oracle VirtualBox, the Tesla Mannequin 3 Infotainment Unconfined Root, and Ubuntu Desktop.
On the final day of the contest, security researchers will plan their targets all but again on Ubuntu Desktop and strive and hack Microsoft Groups, Home windows 11, and VMware Workstation.
Between March 22 and March 24, contestants can assign $1,080,000 in cash and prizes, including a Tesla Mannequin 3 automobile. The head award for hacking a Tesla is now $150,000, and the auto itself.
After zero-day vulnerabilities are demoed and disclosed all the blueprint through Pwn2Own, vendors possess 90 days to develop and free up security fixes for all reported flaws ahead of Building Micro’s Zero Day Initiative publicly discloses them.
At some level of ultimate year’s Vancouver Pwn2Own contest, security researchers earned $1,155,000 after hacking Home windows 11 six times, Ubuntu Desktop four times, and efficiently demonstrating three Microsoft Groups zero-days.
They additionally reported several zero-days in Apple Safari, Oracle Virtualbox, and Mozilla Firefox and hacked the Tesla Mannequin 3 Infotainment Machine.