By NewsBlogger The Pwn2Own Vancouver 2024 hacking competition concluded with security researchers demonstrating 29 zero-day vulnerabilities and earning a total of $1,132,500 in prize money, with notable exploits including remote code execution on various systems and browsers.
At a glance
- The Pwn2Own Vancouver 2024 hacking competition concluded with security researchers demonstrating 29 zero-day vulnerabilities and bug collisions, earning a total of $1,132,500 in prize money.
- Team Synacktiv won a Tesla Model 3 on the first day of the competition and earned $200,000.
- Manfred Paul emerged as the winner, earning 25 Master of Pwn points and a total of $202,500 by exploiting multiple zero-day vulnerabilities.
- Various exploits were showcased, including escaping a VMware Workstation VM, hacking Apple Safari, Google Chrome, and Microsoft Edge browsers, and exploiting Oracle VirtualBox bugs.
- Competitors targeted fully patched products across categories like web browsers, cloud-native/container, virtualization, enterprise applications, servers, local privilege escalation, enterprise communications, and automotive.
The details
The Pwn2Own Vancouver 2024 hacking competition concluded with security researchers showcasing their skills and collecting a total of $1,132,500 in prize money after demonstrating 29 zero-day vulnerabilities and some bug collisions.
The event, which focused on targeting software and products across various categories such as web browsers, cloud-native/container, virtualization, enterprise applications, servers, local escalation of privilege (EoP), enterprise communications, and automotive, had a prize pool exceeding $1,300,000 in cash rewards, including a Tesla Model 3.
Team Synacktiv
made an impressive start by winning the Tesla Model 3 on the first day of the competition.
Competitors were able to successfully execute code and escalate privileges on fully patched systems by exploiting various systems and browsers.
Vendors have been given a 90-day deadline to release security fixes for the zero-day vulnerabilities identified during the Pwn2Own contests.
Manfred Paul emerged as the winner of Pwn2Own Vancouver 2024, earning 25 Master of Pwn points and a total of $202,500 throughout the two-day competition.
He utilized multiple zero-day vulnerabilities to achieve remote code execution and escape the sandbox of Mozilla Firefox.
Additionally, Synacktiv’s success on the first day was highlighted by their win of a Tesla Model 3 car for $200,000.
In a separate demonstration, Pwn2Own Vancouver 2024 contestants revealed 19 zero-day vulnerabilities in Windows 11, Tesla, Ubuntu Linux, and other devices and software.
Notable exploits included Abdul Aziz Hariri’s use of an Adobe Reader exploit to gain code execution on macOS and earn $50,000. Synacktiv also earned $200,000 and a Tesla Model 3 by hacking the Tesla ECU with Vehicle (VEH) CAN BUS Control.
Security researchers at Theori earned $130,000 by escaping a VMware Workstation VM to gain code execution on the host Windows OS. Reverse Tactics collected $90,000 by exploiting two Oracle VirtualBox bugs and a Windows Use-After-Free (UAF) vulnerability.
Manfred Paul further demonstrated his prowess by hacking Apple Safari, Google Chrome, and Microsoft Edge web browsers, resulting in a prize of $102,500.
Throughout the competition, vendors are required to develop and release security patches for all reported flaws within 90 days after the zero-day vulnerabilities are presented at Pwn2Own.
Competitors are targeting fully patched products across various categories, with the aim of exploiting zero-day bugs on the second day of the event.
Hacker rewards for successful exploits can exceed $1,300,000, with the opportunity to win a Tesla Model 3 car for specific exploits targeting the Tesla Autopilot.
A substantial award of $300,000 is available for achieving successful Hyper-V Client guest-to-host escape and privilege escalation on the host OS using a Windows kernel vulnerability.
The previous year’s Vancouver Pwn2Own event saw hackers earn $1,035,000 and a Tesla car for 27 zero-day vulnerabilities across various software and systems.
Synacktiv also made a mark by hacking the Tesla Modem and Infotainment System during the inaugural Pwn2Own Automotive event in January.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| bleepingcomputer.com |
|---|
| – Pwn2Own Vancouver 2024 ended with security researchers collecting $1,132,500 after demoing 29 zero-days and some bug collisions – The event targeted software and products in various categories including web browser, cloud-native/container, virtualization, enterprise applications, server, local escalation of privilege (EoP), enterprise communications, and automotive – The total prize pool was over $1,300,000 in cash prizes and a Tesla Model 3 – Team Synacktiv won the Tesla Model 3 on the first day – Competitors successfully gained code execution and escalated privileges on fully patched systems after hacking various systems and browsers – Vendors have 90 days to release security fixes for zero-day vulnerabilities reported during Pwn2Own contests – Manfred Paul won this year’s edition of Pwn2Own Vancouver with 25 Master of Pwn points and $202,500 earned throughout the two-day competition – Synacktiv also made Pwn2Own Vancouver 2024’s Day 1 highlight reel after winning a Tesla Model 3 car and $200,000 – Manfred Paul exploited various zero-day vulnerabilities to gain remote code execution and escape Mozilla Firefox’s sandbox – ZDI has awarded $3,494,750 during the last three Pwn2Own hacking contests – At Pwn2Own Vancouver 2023, hackers collected $1,035,000 in awards and a Tesla car for 27 zero-days in various systems and browsers |
| bleepingcomputer.com |
|---|
| – Pwn2Own Vancouver 2024 contestants demonstrated 19 zero-day vulnerabilities in Windows 11, Tesla, Ubuntu Linux, and other devices and software – Abdul Aziz Hariri used an Adobe Reader exploit to gain code execution on macOS and earn $50,000 – Synacktiv won $200,000 and a Tesla Model 3 by hacking the Tesla ECU with Vehicle (VEH) CAN BUS Control – Theori security researchers earned $130,000 by escaping a VMware Workstation VM to gain code execution on the host Windows OS – Reverse Tactics collected $90,000 by exploiting two Oracle VirtualBox bugs and a Windows UAF – Manfred Paul hacked Apple Safari, Google Chrome, and Microsoft Edge web browsers, winning $102,500 – Vendors have 90 days to create and release security patches for all reported flaws after the zero-days are demoed at Pwn2Own – Security researchers will target fully patched products in various categories throughout Pwn2Own Vancouver 2024 – Competitors will attempt to exploit zero-day bugs in various software and systems on the second day of Pwn2Own – Hackers can earn over $1,300,000, including a Tesla Model 3 car, during the two days of the hacking competition – Competitors can win a maximum award of $500,000 and a Tesla Model 3 car for specific exploits targeting the Tesla Autopilot – A $300,000 award is available for successful Hyper-V Client guest-to-host escape and privilege escalation on the host OS using a Windows kernel vulnerability – During the previous year’s Vancouver Pwn2Own, hackers earned $1,035,000 and a Tesla car for 27 zero-days in various software and systems – Synacktiv also hacked the Tesla Modem and Infotainment System during the first edition of Pwn2Own Automotive in January |
