In context: Pwn2Own is an annual hacking contest held at Vancouver’s CanSecWest security conference. The event usually hosts high-profile coders and researchers who can demonstrate their skills by finding and exploiting security vulnerabilities in popular software platforms and technology products.
Trend Micro’s Zero Day Initiative (ZDI) announced Pwn2Own 2023’s first-round winners. Five participants earned $375,000 in prize money from an over $1 million pool by hacking widely popular operating systems, software programs, and a Tesla Model 3 car. The hackers found 12 zero-day vulnerabilities in all.
Offensive security firm Synacktiv compromised a Tesla Model 3 with a TOCTOU (time-of-check to time-of-use) attack in the Automotive category, then escaped access privileges on macOS. The team won the most money, pocketing $140,000, and the hacked Tesla. Its victories put it first on the leaderboard with 14 “Master of Pwn” points for the day.
The STAR Labs team won $115,000 and 11.5 MoP points with a zero-day exploit chain targeting Microsoft SharePoint and successfully hacking the Ubuntu Desktop operating system with a previously known exploit. It will enter Day Two of the competition in second place.
That wraps up the first day of #P2OVancouver 2023! We awarded $375,000 (and a Tesla Model 3!) for 12 zero-days during the first day of the contest. Stay tuned for day two of the contest tomorrow! #Pwn2Own pic.twitter.com/UTvzqxmi8E
— Zero Day Initiative (@thezdi) March 22, 2023
The third spot goes to individual security researcher Abdul Aziz Hariri. Hariri earned $50,000 and 5 MoP points by demonstrating an exploit in Adobe Reader that allowed him to abuse multiple “failed” patches, escape the program’s sandbox, and bypass a banned API list on macOS.
Fourth and fifth on the leaderboard are Qrious Security researcher Bien Pham and individual hacker Marcin Wiazowski. Pham won $40,000 by hacking Oracle’s VM VirtualBox through an OOB Read and a stacked-based buffer overflow. Wiazowski successfully elevated user privileges under Windows 11 with an improper input validation zero-day flaw worth $30,000. Unfortunately, Pham’s four and Wiazowski’s three Master of Pwn points leave the pair with a large gap to reach first or second overall.
Zero Day Initiative will disclose the details of the zero-day vulnerabilities demoed during Pwn2Own 2023 to their respective software vendors. Developers will have 90 days to release security patches. The organization will publicly disclose the flaws after this deadline, regardless of the patch status.
During its three-day schedule, Pwn2Own 2023 will host demonstrations for targeted attacks in categories such as enterprise applications and communication, local privilege escalation, server, virtualization, and automotive. In 2022, the Vancouver hack fest awarded $1,155,000 to security researchers.