Home windows 11, Tesla, Ubuntu, and macOS hacked at Pwn2Own 2023


On the primary day of Pwn2Own Vancouver 2023, safety researchers efficiently demoed Tesla Mannequin 3, Home windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Mannequin 3.

The primary to fall was Adobe Reader within the enterprise functions class after Haboob SA’s Abdul Aziz Hariri (@abdhariri) used an exploit chain focusing on a 6-bug logic chain abusing a number of failed patches which escaped the sandbox and bypassed a banned API record on macOS to earn $50,000.

The STAR Labs workforce (@starlabs_sg) demoed a zero-day exploit chain focusing on Microsoft’s SharePoint workforce collaboration platform that introduced them a $100,000 reward and efficiently hacked Ubuntu Desktop with a beforehand identified exploit for $15,000.

Synacktiv (@Synacktiv) took house $100,000 and a Tesla Mannequin 3 after efficiently executing a TOCTOU (time-of-check to time-of-use) assault towards the Tesla – Gateway within the Automotive class. In addition they used a TOCTOU zero-day vulnerability to escalate privileges on Apple macOS and earned $40,000.

Oracle VirtualBox was hacked utilizing an OOB Learn and a stacked-based buffer overflow exploit chain (value $40,000) by Qrious Safety’s Bien Pham (@bienpnn).

Final however not least, Marcin Wiązowski elevated privileges on Home windows 11 utilizing an improper enter validation zero-day that got here with a $30,000 prize.

​All through the Pwn2Own Vancouver 2023 contest, safety researchers will target products in enterprise functions, enterprise communications, native escalation of privilege (EoP), server, virtualization, and automotive classes.

On the second day, Pwn2Own opponents will demo zero-day exploits focusing on Microsoft Groups, Oracle VirtualBox, the Tesla Mannequin 3 Infotainment Unconfined Root, and Ubuntu Desktop.

On the final day of the competition, safety researchers will set their targets once more on Ubuntu Desktop and try and hack Microsoft Groups, Home windows 11, and VMware Workstation.

Between March 22 and March 24, contestants can earn $1,080,000 in money and prizes, together with a Tesla Mannequin 3 automotive. The highest award for hacking a Tesla is now $150,000, and the automotive itself.

After zero-day vulnerabilities are demoed and disclosed throughout Pwn2Own, distributors have 90 days to create and launch safety fixes for all reported flaws earlier than Pattern Micro’s Zero Day Initiative publicly discloses them.

During last year’s Vancouver Pwn2Own contest, safety researchers earned $1,155,000 after hacking Home windows 11 six instances, Ubuntu Desktop 4 instances, and efficiently demonstrating three Microsoft Groups zero-days.

In addition they reported a number of zero-days in Apple Safari, Oracle Virtualbox, and Mozilla Firefox and hacked the Tesla Mannequin 3 Infotainment System.

Leave a Reply

Your email address will not be published. Required fields are marked *