Pwn2Own Day 1 – Windows 11, Red Hat Linux, & Oracle VirtualBox Hacked

Pwn2Own Day 1 - Windows 11, Red Hat Linux, & Oracle VirtualBox Hacked

Security researchers successfully illustrated significant vulnerabilities across several platforms on the first day of Pwn2Own Berlin 2025, taking home a total of $260,000 in prizes.

The competition featured 11 different exploit attempts, including the inaugural AI category entries.

STAR Labs has taken an early lead in the Master of Pwn competition, showcasing their technical prowess across multiple exploitation categories.

– Advertisement –
Master of Pwn
Master of Pwn

Three separate successful attacks against Windows 11 highlighted significant security weaknesses in Microsoft’s flagship operating system.

Chen Le Qi of STARLabs SG demonstrated a sophisticated exploit chain combining a use-after-free (UAF) vulnerability with an integer overflow, successfully escalating privileges to SYSTEM level and earning $30,000.

This multi-stage attack showcases how memory corruption vulnerabilities can be chained for maximum impact.

Security researcher Marcin Wiązowski also breached Windows 11 security through an Out-of-Bounds Write vulnerability, providing another pathway to SYSTEM privileges.

His technically elegant exploitation earned identical compensation of $30,000.

Completing the Windows 11 trifecta, Hyeonjin Choi of Out Of Bounds leveraged a type confusion vulnerability to elevate privileges, demonstrating the diversity of bug classes affecting the platform.

These successful exploits reveal concerning patterns in Windows 11’s security architecture that Microsoft will need to address promptly.

Red Hat Linux Privilege Escalation

Red Hat Linux proved susceptible to multiple privilege escalation techniques during the competition.

Researcher Pumpkin from DEVCORE Research Team successfully exploited an integer overflow vulnerability to elevate privileges, earning $20,000.

Integer overflows continue to present significant risk vectors in memory-unsafe code, even in enterprise Linux distributions.

In a separate attack, Hyunwoo Kim and Wongi Lee of Theori combined an information leak with a UAF vulnerability to achieve root access on Red Hat Linux.

Although partially based on a previously known vulnerability, their exploit chain demonstrated how information disclosure can be leveraged to facilitate more severe attacks.

Despite the bug collision, this technical achievement earned them $15,000 and highlighted ongoing memory safety issues within the Linux kernel that affect even security-focused distributions.

VirtualBox and Docker Escapes

The most lucrative exploits of the day targeted virtualization technologies.

Team Prison Break executed an impressive Oracle VirtualBox escape utilizing an integer overflow vulnerability that allowed code execution on the host operating system.

Their technical achievement in bypassing virtual machine isolation earned them $40,000 and demonstrated serious security implications for virtualized environments.

The day’s highest payout went to Billy and Ramdhan of STAR Labs, who leveraged a UAF vulnerability in the Linux kernel to escape Docker Desktop containment and execute code on the underlying host.

This sophisticated container escape netted them $60,000 and demonstrated how kernel-level vulnerabilities can compromise the isolation guarantees of containerization technologies.

Their technical achievement places STAR Labs as frontrunners in the ongoing Master of Pwn competition.

According to the Report, The Pwn2Own event also made history with the first successful AI security exploit, as Sina Kheirkhah of Summoning Team compromised Chroma, establishing a new frontier in the cybersecurity research landscape.

Day Two promises additional high-caliber technical demonstrations as the competition continues.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!


Source link