29 0-days Uncovered : Hackers Earned $1,132,500 Pwn2Own Vancouver 2024

The Pwn2Own Vancouver 2024 has come to an pause, with researchers receiving a total of $1,132,500 for uncovering 29 definite zero-day vulnerabilities.

Manfred Paul has been granted the title of Pwn Grasp. In all, he earned $202,500 and 25 aspects.

On the first day, a recent Tesla Mannequin 3 became as soon as given to the Synacktiv (@synacktiv) group.

Highlights Of Day 2

Marcin Wiązowski elevated privileges on Windows 11 the utilize of an atrocious enter validation flaw. He got $15,000 along with three Grasp of Pwn aspects.

Two bugs had been dilapidated in STAR Labs SG’s VMware Workstation hack. The opposite variable became as soon as known beforehand, while the first is uninitialized.

They peaceful procure $30,000 and six Grasp of Pwn aspects.

To utilize Oracle VirtualBox, ColdEye dilapidated two vulnerabilities, one of which became as soon as a UAF.

Even the guest OS remained undamaged. He positive factors four Grasp of Pwn aspects and $20,000 for his guest-to-host assemble away.

Manfred Paul (@_manfp) executed his Mozilla Firefox sandbox assemble away by the utilize of an OOB Write for the RCE and an exposed poor feature worm.

He positive factors a further $100,000 to boot to 10 Grasp of Pwn aspects, putting him forward of the lead with 25.

Gabriel Kirkpatrick (gabe_k of exploits.forsale), a first-time Pwn2Own competitor, escalated privileges on #Windows 11 by utilizing an inherently refined speed situation.

Along with three Grasp of Pwn aspects, he receives $15,000.

Palo Alto Networks’ Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) leveraged an OOB Be taught along with a outlandish technique to assemble previous V8 hardening and build arbitrary code execution in the renderer.

They proceeded to utilize the same weaknesses to utilize Chrome and Edge, gathering $42,500 and 9 Grasp of Pwn aspects.

KAIST Hacking Lab’s Seunghyun Lee (@0x10n) utilized a UAF to RCE in the renderer on every Microsoft Edge and Google Chrome.

He receives $9 Grasp of Pwn aspects and $85,000. His contest total now stands at $145,000 plus 15 Grasp of Pwn aspects.

The usage of an Gruesome Update of Reference Depend flaw, Valentina Palmiotti (@chompie1337) of IBM X-Force became as soon as ready to escalate privileges on Windows 11.

She won three Grasp of Pwn aspects and $15,000 after nailing her first #Pwn2Own competition.

On the Pwn2Own first day, the hackers seriously hacked Oracle VM, Adobe Reader, Microsoft Sharepoint, Tesla ECU, and Ubuntu.

Especially, combining a heap-basically basically basically based buffer overflow, a UAF, and an uninitialized variable flaw, Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) from Theori (@theori_io) had been ready to flee VMware Workstation and speed code as SYSTEM on the host Windows OS.

They procure $130,000 and 13 Grasp of Pwn aspects for his or her prominent fulfillment.

The Synacktiv (@synacktiv) group exploited the Tesla ECU with Automobile (VEH) CAN BUS Withhold an eye on by the utilize of a single integer overflow.

The winners procure a recent Tesla Mannequin 3 (their second!), $200,000, and 20 Grasp of Pwn aspects.

In step with the closing three Pwn2Own events (Vancouver, Car, and Toronto), ZDI has given out $3,494,750 at Pwn2Own events this twelve months.

Furthermore, you too can internet a comprehensive overview of the Pwn2Own Vancouver 2024 Day 2 results right here.

Terminate up up to now on Cybersecurity info, Whitepapers, and Infographics. Prepare us on LinkedIn & Twitter.