Pwn2Own Vancouver competition ends as hackers win over $1M

Posted on March 26, 2023 at 7:02 PM

Pwn2Own Vancouver competition ends as hackers win over $1M

The Pwn2Own Vancouver hacking competition has ended. The elite hackers in the competition earned $1,035,000 and a Tesla Model 3 car. The hackers won these prizes after exploiting 27 zero-day vulnerabilities and other bug collisions. The hacking competition lasted between March 22 and March 24.

Hackers win over $1M in Pwn2Own competition

The Pwn2Own hacking competition is one of the largest competitions of its kind globally. The hacking competition brings together security researchers tasked with targeting devices within enterprise applications and communications.

The hackers seek to exploit the target systems by targeting multiple entry points such as the local escalation of privilege (EoP), virtualization, servers, and automotive categories. All the systems that are stress tested during the competition are usually up-to-date, and they operate within their default configuration.

The total prize pool for those who participated and emerged winners in the Pwn2Own Vancouver competition was slightly above $1 million. The prize pool also included a Tesla Model 3 won by the Synacktiv team.

The hackers that participated in this competition managed to escalate privileges successfully. They also obtained code execution on systems that had been fully patched. The competitors breached Windows 11, Microsoft Teams, Microsoft SharePoint, Ubuntu Desktop, macOS, Oracle VirtualBox, VMware Workstation, and the Tesla Model 3.

The hackers breach these systems using zero-day vulnerabilities. After these vulnerabilities have been exploited and reported during the competition, the respective vendors are given 90 days to release patches to fix the bugs. After 90 days, the TrendMicro Zero Day Initiative, which is behind the hacking campaign, will publicly disclose the bugs.

The Synacktiv team dominated the contest

The competition was won by team Synacktiv. This team garnered 53 Master of Pwn points. It earned a total of $530,000 in the competition that lasted for three days. The hackers made their first win on the very first day of the competition.

During the first day of the Pwn2Own Vancouver, the Synacktiv hackers received a reward of $100,000 and a Tesla Model 3 after they executed a time-of-check to time-of-use (TOCTOU) against the car. The team breached the Tesla through the Tesla – Gateway in the Automotive category.

The hackers also exploited a TOCTOU zero-day vulnerability that escalated privileges on the Apple macOS. The exploit managed to win the hackers $40,000. The hackers stole the show during the first day of the competition and the second day.

During the second day, the members of the Synacktiv team also conducted hacking exploits that managed to dominate the show. A $250,000 award was given to David Berard and Vincent Dehors after they demonstrated a heap overflow and an OOB write zero-day exploit chain. They demonstrated a heap overflow and an OOB write zero-day exploit chain on the Tesla-Infotainment Unconfined Root.

The other Synacktiv team members, Thomas Imbert and Thomas Bouzerar, demonstrated a three-bug chain. The chain was used to escalate privileges on the Oracle VirtualBox host. The two earned $80,000 because of the demo.

Tanguy Dubroca also received a $30,000 award after making an incorrect pointer scaling zero-day exploit. The zero-day exploit resulted in a privilege escalation on the Ubuntu desktop.

The Synacktiv team also dominated on the third day of the competition. During this last day, Thomas Imbert from the Synacktiv team breached a fully patched Windows 11 system. The hacker won $30,000 because of this exploit after they targeted a Use-After-Free (UAF) zero-day exploit.

Synacktiv was not the only team that made successful zero-day exploits during the competition. The STAR Labs Team won $195,000 for zero-day Microsoft SharePoint and VMWare Workstation exploits. The team also gained entry to an Ubuntu Desktop collision.

Team Viettel was also among the winning teams in the competition. The team was awarded $115,000 after hacking Microsoft Teams and Oracle VirtualBox. The Pwn2Own hacking competition held this year is not different from the competition held last year.

In 2022, the Pwn2Own Vancouver hacking competition that was held in May saw security researchers winning $1,155,000 and a car. During the competition, hackers hacked the Tesla Model 3 Infotainment System. They also took down Windows 11, Ubuntu Desktop, Microsoft Teams, and others using multiple zero-day vulnerabilities while exploiting chains.

These hacking competitions are usually useful to the tech companies that participate in them because they allow them to detect and patch vulnerabilities before malicious threat actors exploit them in the wild.

Pwn2Own Vancouver competition ends as hackers win over $1M
Article Name
Pwn2Own Vancouver competition ends as hackers win over $1M
The Pwn2Own hacking competition has ended. The hackers who participated won over $1 million. The Synacktiv team stole the show in the competition.
Publisher Name
Publisher Logo

Share this:

Related Stories:


Get the latest stories straight
into your inbox!