Pwn2Own Vancouver 2024 concluded with a resounding success for security researchers, who collectively earned a staggering $1,132,500 by demonstrating 29 zero-day vulnerabilities and encountering some intriguing bug collisions. Throughout the event, participants set their sights on a diverse array of targets spanning various categories, including web browsers, cloud-native/container solutions, virtualization platforms, enterprise applications, servers, local escalation of privilege (EoP) scenarios, enterprise communications systems, and even automotive technologies, all of which were running the latest updates in their default configurations.
The event boasted a total prize pool exceeding $1.3 million in cash rewards and a coveted Tesla Model 3, which Team Synacktiv claimed victoriously on the first day of competition. Security enthusiasts successfully achieved code execution and privilege escalation on fully patched systems by exploiting vulnerabilities in a range of software and platforms, including Windows 11, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, as well as popular web browsers such as Apple Safari, Google Chrome, and Microsoft Edge.
Following the conclusion of the event, vendors now have a 90-day window to release security patches addressing the zero-day vulnerabilities reported during Pwn2Own contests, before TrendMicro’s Zero Day Initiative publicly discloses them.
The leaderboard for Pwn2Own Vancouver 2024 showcased impressive feats of cybersecurity prowess, with Manfred Paul emerging as this year’s champion. With 25 Master of Pwn points and a hefty $202,500 in earnings, Paul showcased his expertise by successfully exploiting vulnerabilities in Safari, Chrome, and Edge web browsers. Notably, Paul’s exploits included a remote code execution (RCE) attack on Safari via an integer underflow bug and a PAC bypass zero-day combo, as well as a double-tap RCE exploit targeting Chrome and Edge.
Synacktiv, meanwhile, made headlines on the first day by securing a Tesla Model 3 and $200,000 after swiftly hacking the Tesla ECU with Vehicle (VEH) CAN BUS Control in under 30 seconds using an integer overflow exploit.
On the second day of Pwn2Own Vancouver, Paul continued his winning streak by leveraging an out-of-bounds (OOB) write zero-day vulnerability to achieve RCE and successfully escaping Mozilla Firefox’s sandbox using an exposed dangerous function weakness.
Other notable achievements from the event included privilege escalation exploits targeting Windows 11, VMware Workstation, and Ubuntu Linux, as well as successful attacks on Oracle VirtualBox, Docker, and various browser exploits.
With the conclusion of Pwn2Own Vancouver 2024, the cybersecurity community eagerly awaits the release of security patches from affected vendors, while researchers gear up for future challenges in the ongoing battle against emerging cyber threats.
Leave a Reply