Pierluigi Paganini
March 23, 2023
The Pwn2Own Vancouver 2023 has begun, this hacking competition has 19 entries targeting nine different targets – including two Tesla attempts.
On the first day of the event, the organization awarded $375,000 (and a Tesla Model 3) for 12 zero-day vulnerabilities demonstrated by the participants.
The first hack of the day was performed by the AbdulAziz Hariri (@abdhariri) of Haboob SA (@HaboobSa), who demonstrated a zero-day attack against Adobe Reader in the Enterprise Applications category. Hariri earned $50,000 and 5 Master of Pwn points.
One of the most interesting attacks was conducted by the Singapore team STAR Labs (@starlabs_sg), they successfully targeted Microsoft SharePoint in the Server category earning $100,000 and 10 Master of Pwn points.
The STAR Labs team also hacked Ubuntu Desktop with a previously known exploit earning $15,000 and 1.5 Master of Pwn points.
Bien Pham (@bienpnn) from Qrious Security (@qriousec) exploited an OOB Read and a stacked-based buffer overflow against Oracle VirtualBox. He earned $40,000 and 4 Master of Pwn points.
Then the researcher Marcin Wiązowski exploited an improper input validation issue to elevate privileges on Windows 11. He earned $30,000 and 3 Master of Pwn points.
The team of the offensive security company Synacktiv (@Synacktiv) demonstrated a TOCTOU (time-of-check to time-of-use) attack against Tesla – Gateway. They earned $100,000 and 10 Master of Pwn points and a Tesla Model 3. The same team also exploited a TOCTOU bug to escalate privileges on Apple macOS earning $40,000 and 4 Master of Pwn points.
The only failed attempt of the day was of last_minute_pwnie which attempted to demonstrate an Ubuntu exploit.
The Pwn2Own Vancouver 2023 continues … stay tuned!
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Pwn2Own Vancouver 2023)
