On the first day of Pwn2Own Vancouver 2023, contestants successfully jailbroken Tesla Model 3, Windows 11, Ubuntu Desktop and macOS using zero-day exploits.
They won a total of $375.000 in prize money and a Tesla Model 3 (same as the one they hacked)!.
During the of Pwn2Own Vancouver 2023 competition, competitors are targeting products in enterprise applications, enterprise communications, local escalation of privilege (EoP), servers, virtualization and automotive.
The first to fall into the category of enterprise applications was Adobe Reader, after Abdul Aziz Hariri of Haboob SA (@abdhariri) used an exploit chain that exploits multiple failed patches, thereby escaping the sandbox and bypassing a protected API list in macOS. $50.000 prize.
The STAR Labs team (@starlabs_sg) presented a zero-day exploit chain targeting Microsoft's SharePoint team collaboration platform.$100.000 prize. He also successfully hacked Ubuntu Desktop with a previously known exploit and won an additional $15.000.
The Synacktiv team (@Synacktiv) won in the Car category $100.000 and a Tesla Model 3 after successfully executing an attack TOCTOU (Time-of-check to time-of-use) against Tesla – Gateway. They also used a TOCTOU zero-day vulnerability to change privileges on Apple macOS and earned an additional $40.000.
Oracle VirtualBox was hacked by Bien Pham of Qrious Security (@bienpnn) using an OOB Read and a stacked-based buffer exploitation chain. He came out with a profit of $40.000.
Last but not least, Marcin Wiązowski changed the privileges in Windows 11 using a zero-day and got a reward of $30.000.
From March 22 to March 24, contestants can win $1.080.000 in cash and prizes, including a Tesla Model 3 car. The top prize for hacking a Tesla is $150.000 and the car itself.
After demonstrating and disclosing zero-day vulnerabilities during Pwn2Own, vendors have 90 days to build and release security fixes for all reported flaws before the Trend Micro's Zero Day Initiative disclose them publicly.
For the record, according to during last year's Vancouver Pwn2Own contest, security researchers won $1.155.000 after hacking Windows 11 six times, Ubuntu Desktop four times, and successfully zero-daying Microsoft Teams three times.
They also introduced several zero-days in Apple Safari, Oracle Virtualbox, Mozilla Firefox and hacked the Tesla Model 3 Infotainment System.