Microsoft Groups, Virtualbox, Tesla zero-days exploited at Pwn2Own


In the course of the second day of Pwn2Own Vancouver 2023, opponents had been awarded $475,000 after efficiently exploiting 10 zero-days in a number of merchandise.

The checklist of hacked targets included the Tesla Mannequin 3, Microsoft’s Groups communication platform, the Oracle VirtualBox virtualization platform, and the Ubuntu Desktop working system.

The second day’s spotlight was a profitable try from Synacktiv’s David Berard (@_p0ly_) and Vincent Dehors (@vdehors) towards the Tesla – Infotainment Unconfined Root.

This earned them $250,000 and allowed them to take dwelling a Tesla Mannequin 3 after hacking through a heap overflow and an OOB write exploit chain.

Synacktiv’s Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) additionally efficiently exploited a three-bug chain to escalate privileges on an Oracle VirtualBox host to earn $80,000.

On a 3rd try from Synacktiv, Tanguy Dubroca (@SidewayRE) was awarded $30,000 for demoing an incorrect pointer scaling zero-day resulting in privilege escalation on Ubuntu Desktop.

Synacktiv’s Tesla Infotainment zero-day demo (ZDI)

Workforce Viettel (@vcslab) hacked additionally Microsoft Groups through a 2-bug chain to earn $78,000 and Oracle’s VirtualBox utilizing a Use-After-Free (UAF) bug and an uninitialized variable for $40,000.

On the first day, Pwn2Own opponents had been awarded $375,000 and a Tesla Mannequin 3 after efficiently demoing 12 zero-days within the Tesla Mannequin 3, Home windows 11, Microsoft SharePoint, Oracle VirtualBox, and macOS.

On the final day of the competition, safety researchers will try to take advantage of zero-day bugs in Ubuntu Desktop, Microsoft Groups, Home windows 11, and VMware Workstation.

Pwn2Own Vancouver 2023 contestants can earn $1,080,000 in money and two Tesla Mannequin 3 vehicles between March 22 and March 24.

​Researchers will target products from a number of classes through the contest, together with enterprise functions, enterprise communications, servers, virtualization, automotive, and native escalation of privilege (EoP).

“This 12 months’s occasion guarantees some thrilling analysis as we’ve got 19 entries concentrating on 9 totally different targets – together with two Tesla makes an attempt,” ZDI mentioned.

“For this 12 months’s occasion, each spherical can pay full worth, which suggests if all exploits succeed, we’ll award over $1,000,000 USD.”

Distributors must patch zero-day vulnerabilities demoed and disclosed throughout Pwn2Own inside 90 days earlier than Development Micro’s Zero Day Initiative publicly publishes technical particulars.

At Pwn2Own Vancouver 2022, safety researchers earned $1,155,000 after hacking the Tesla Mannequin 3 Infotainment System, taking down Home windows 11 six occasions, demonstrating three Microsoft Groups zero-days, and exploiting Ubuntu Desktop 4 occasions.

Leave a Reply

Your email address will not be published. Required fields are marked *