The Pwn2Own Vancouver 2024 competition has commenced, showcasing a series of significant cybersecurity vulnerabilities across a range of technology products, including Windows 11, Tesla vehicles, and Ubuntu Linux. The event, which is a focal point for cybersecurity experts worldwide, has already seen participants win a total of $732,500 and a Tesla Model 3 car for their disclosures of zero-day vulnerabilities and exploit chains. Among the notable achievements, the team from Synacktiv stood out by securing a Tesla Model 3 and $200,000 for their swift hack into a Tesla ECU using an integer overflow vulnerability.
Highlighted Exploits and Awards
The competition's first day featured a variety of targets and innovative exploitation techniques. Abdul Aziz Hariri of Haboob SA earned $50,000 for exploiting Adobe Reader on macOS through an API restriction bypass and a command injection bug. Theori's security researchers, Gwangun Jung and Junoh Lee, demonstrated a remarkable escape from a VMware Workstation VM to gain SYSTEM-level execution on the host Windows OS, earning them $130,000. This exploit involved a chain of vulnerabilities including an uninitialized variable bug, a use-after-free (UAF) weakness, and a heap-based buffer overflow.
That brings a close to the first day of #Pwn2Own Vancouver 2024. We awarded $732,500 for 19 unique 0-days. @Synacktiv currently leads in the hunt for Master of Pwn, but @_manfp is right behind them. Here are the full standings: pic.twitter.com/GbtDzbCFgO
— Zero Day Initiative (@thezdi) March 21, 2024
Additional exploits were demonstrated against virtualization software and web browsers. Reverse Tactics' duo, Bruno PUJOS and Corentin BAYET, exploited Oracle VirtualBox vulnerabilities alongside a Windows UAF bug to escape a VM and achieve SYSTEM privileges, netting $90,000. Manfred Paul successfully targeted Apple Safari, Google Chrome, and Microsoft Edge web browsers using three zero-day vulnerabilities, earning $102,500 for his efforts.
Future Implications and Upcoming Challenges
Following the demonstration of zero-days at Pwn2Own, vendors are given a 90-day period to develop and release security patches for the reported flaws, after which Trend Micro's Zero Day Initiative will publicly disclose them. The competition continues with participants set to target a range of products including Windows 11, VMware Workstation, Oracle VirtualBox, Mozilla Firefox, Ubuntu Desktop, Google Chrome, Docker Desktop, and Microsoft Edge. With over $1,300,000 in prizes, including
