Pierluigi Paganini March 22, 2024

Pwn2Own Vancouver 2024 hacking competition has ended, and participants earned $1,132,500 for demonstrating 29 unique zero-days.

Trend Micro’s Zero Day Initiative (ZDI) announced that participants earned $1,132,500 on the Pwn2Own Vancouver 2024 hacking competition for demonstrating 29 unique zero-days. On day one, the Team Synacktiv successfully demonstrated exploits against a Tesla car.

The researcher Manfred Paul (@_manfp) won the Master of Pwn earning $202,500 and 25 points.

The participants demonstrated multiple zero-day exploits against multiple products, including Apple Safari, Google Chrome, and Microsoft Edge browsers, Windows 11, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox and of course Tesla.

On Day Two, Manfred Paul (@_manfp) demonstrated a sandbox escape of Mozilla Firefox by using an OOB Write for the RCE and an exposed dangerous function bug. He earned $100,000 and 10 Master of Pwn points for this hack.

The researcher Seunghyun Lee (@0x10n) of KAIST Hacking Lab used a UAF to achieve remote code execution in the renderer on both Micosoft Edge and Google Chrome. He earned $85,000 and 9 Master of Pwn points. 

The team from STAR Labs SG demonstrated the first Docker desktop escape at Pwn2Own hacking competition by chaining two vulnerabilities, including a UAF. The team STAR Labs SG earned $60,000 and 6 Master of Pwn points.

The complete list of results for the first Two of the Pwn2Own Vancouver 2024 hacking competition is available here:

https://www.zerodayinitiative.com/blog/2024/3/21/pwn2own-vancouver-2024-day-two-results

Vendors have 90 days to address the vulnerabilities exploited by the participants during the Pwn2Own hacking competition before TrendMicro’s Zero Day Initiative publicly discloses the issues.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own Vancouver 2024)