On the first day of the Pwn2Own Vancouver 2023 contest, security researchers successfully demoed zero-day exploits. Also, exploit chains on various products, including Tesla Model 3, Windows 11, and macOS. The event is being held between March 22 and March 24. Contestants can earn up to $1,080,000 in cash and prizes, including a Tesla Model 3 car.
Exploits and winners
The contest started with the STAR Labs team (@starlabs_sg) demoing a zero-day exploit chain targeting Microsoft’s SharePoint team collaboration platform. This make earning them $100,000. They also hacked Ubuntu Desktop using a previously known exploit, winning $15,000.
Adobe Reader in the enterprise applications category. It was the first to fall after Haboob SA’s Abdul Aziz Hariri (@abdhariri) used an exploit chain. It was to target a 6-bug logic chain, earning him $50,000.
Synacktiv (@Synacktiv) executed a time-of-check to time-of-use (TOCTOU) attack against the Tesla Gateway in the Automotive category, earning them $100,000 and a Tesla Model 3. They also used a TOCTOU zero-day vulnerability to escalate privileges on Apple macOS, winning $40,000.
Qrious Security’s Bien Pham (@bienpnn) hacked Oracle VirtualBox using an out-of-bounds (OOB) read and a stack-based buffer overflow exploit chain, earning $40,000.
Marcin Wiązowski elevated privileges on Windows 11 using an improper input validation zero-day, winning $30,000.
Targets for the remaining days for Zero Day
The contest will continue for the next two days. This is with security researchers targeting products in enterprise applications, and enterprise communications. It also includes local escalation of privilege (EoP), server, virtualization, and automotive categories.
Pwn2Own competitors will demo zero-day exploits targeting Microsoft Teams on the second day. They will also target Oracle VirtualBox, the Tesla Model 3 Infotainment Unconfined Root, and Ubuntu Desktop.
On the last day of the contest, security researchers will set their targets again on Ubuntu Desktop and attempt to hack Microsoft Teams, Windows 11, and VMware Workstation.
Disclosure and fixing zero-day vulnerabilities
After zero-day vulnerabilities are demoed and disclosed during Pwn2Own, vendors have 90 days to create and release security fixes for all reported flaws before Trend Micro’s Zero Day Initiative publicly discloses them.
Last year’s Vancouver Pwn2Own contest saw security researchers earning $1,155,000 after hacking Windows 11 six times. Also hack Ubuntu Desktop four times, and successfully demonstrating three Microsoft Teams zero-days. They also report several zero-days in Apple Safari, Oracle Virtualbox, and Mozilla Firefox and hacks the Tesla Model 3 Infotainment System.
Recap
Pwn2Own Vancouver 2023 has already seen some significant exploits and exploit chains being demoed by security researchers. With more to come in the remaining days of the contest. It remains to be seen how many more zero-day vulnerabilities will be discovered and disclosed, and how vendors will respond to them.
