Pwn2Own Vancouver 2023 has ended with contestants earning $1,035,000 and a Tesla Model 3 car for 27 zero-day (and several bug collisions) exploited between March 22 and 24.
During the hacking competition, security researchers have targeted devices in the enterprise applications and communications, local escalation of privilege (EoP), virtualization, servers, and automotive categories, all up-to-date and in their default configuration.
The total prize pool for Pwn2Own Vancouver 2023 was over $1,000,000 in cash and a Tesla Model 3, which Team Synacktiv won.
The hackers successfully escalated privileges and gained code execution on fully patched systems after hacking Windows 11, Microsoft Teams, Microsoft SharePoint, macOS, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and, of course, the Tesla Model 3.
After the zero-day vulnerabilities are exploited and reported during Pwn2Own, vendors are given 90 days to release security fixes before TrendMicro’s Zero Day Initiative publicly discloses them.
Contest dominated by Team Synacktiv
Team Synacktiv won the competition with 53 Master of Pwn points and $530,000 earned in total throughout the three days of the contest.
On the first day of Pwn2Own Vancouver, Synacktiv’s hackers were awarded $100,000 and a Tesla Model 3 after executing a TOCTOU (time-of-check to time-of-use) attack against the Tesla – Gateway in the Automotive category. They also exploited a TOCTOU zero-day bug to escalate privileges on Apple macOS and earn $40,000.
On the second day of the contest, Synacktiv members’ hacking exploits were also the highlight of the show, with a $250,000 award for David Berard (@_p0ly_) and Vincent Dehors (@vdehors) after demonstrating a heap overflow and an OOB write zero-day exploit chain against the Tesla – Infotainment Unconfined Root.
Synacktiv’s Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) also demoed a three-bug chain to escalate privileges on an Oracle VirtualBox host and earned $80,000, while Tanguy Dubroca (@SidewayRE) got a $30,000 award for an incorrect pointer scaling zero-day leading to privilege escalation on Ubuntu Desktop.
On the third and last day of the competition, Synacktiv’s Thomas Imbert (@masthoon) took down a fully-patched Windows 11 system to earn $30,000 for a Use-After-Free (UAF) zero-day.
The STAR Labs Team also won $195,000 for zero-days in Microsoft SharePoint and VMWare Workstation and a Ubuntu Desktop collision, while Team Viettel was awarded $115,000 after hacking Microsoft Teams and Oracle VirtualBox.
At last year’s Pwn2Own Vancouver hacking competition, in May 2022, researchers earned $1,155,000 and a car after hacking the Tesla Model 3 Infotainment System and taking down Windows 11, Ubuntu Desktop, Microsoft Teams, and more using multiple zero-day bugs and exploit chains.