Trend Micro’s Zero Day Initiative announced that participants earned $1,132,500 on the Pwn2Own Vancouver 2024 hacking competition for demonstrating 29 unique zero-days by exploiting against a Tesla car, Linux and Windows operating systems, and more.
The team Synacktiv earned $200,000 for demonstrating an integer overflow exploit against a Tesla car. The expert targeted the electronic control unit (ECU) with CAN bus control. The team also won a new Tesla Model 3.
The researchers Gwangun Jung and Junoh Lee from cyber security firm Theori chained an uninitiallized variable bug, a UAF, and a heap-based buffer overflow to achieve a VMware Workstation escape and execute code as SYSTEM on the host Windows OS. The team earned $130,000 and won 13 Master of Pwn points.
The researcher Manfred Paul chained an integer underflow bug and a PAC bypass in Apple Safari to achieve remote code execution on the popular browser. He earned $60,000 and 6 Master of Pwn points.
Bruno PUJOS and Corentin BAYET from software reverse engineering & vulnerability discovery company REverse Tactics chained a buffer overflow and a Windows UAF bypass in Oracle VirtualBox to escape the guest OS and execute code as SYSTEM on the host OS. The team earned $90,000 and 9 Master of Pwn points.
The complete list of results for the first day of the Pwn2Own Vancouver 2024 hacking competition is available here:
https://www.zerodayinitiative.com/blog/2024/3/20/pwn2own-vancouver-2024-day-one-results
On Day Two, Manfred Paul demonstrated a sandbox escape of Mozilla Firefox by using an OOB Write for the RCE and an exposed dangerous function bug. He earned $100,000 and 10 Master of Pwn points for this hack.
The researcher Seunghyun Lee of KAIST Hacking Lab used a UAF to achieve remote code execution in the renderer on both Micosoft Edge and Google Chrome. He earned $85,000 and 9 Master of Pwn points.
The team from STAR Labs SG demonstrated the first Docker desktop escape at Pwn2Own hacking competition by chaining two vulnerabilities, including a UAF. The team STAR Labs SG earned $60,000 and 6 Master of Pwn points.
The complete list of results for the first two of the Pwn2Own Vancouver 2024 hacking competition is available here:
https://www.zerodayinitiative.com/blog/2024/3/21/pwn2own-vancouver-2024-day-two-results
Vendors have 90 days to address the vulnerabilities exploited by the participants during the Pwn2Own hacking competition before TrendMicro’s Zero Day Initiative publicly discloses the issues.
