On the third day of the Pwn2Own hacking contest, security researchers received $185,000 after demonstrating 5 zero-day exploits targeting Windows 11, Ubuntu Desktop and VMware Workstation virtualization software.
The highlight of the day was that the Ubuntu Desktop operating system was hacked three times by three different teams, although one of them was a collision with the previously known exploit.
The three working zero-day versions of Ubuntu were confirmed by ASU SEFCOM’s Kyle Zeng (a double-free bug), Theori’s Mingi Cho (a use-after-free vulnerability), and Qrious Security’s Bien Pham (@bienpnn). demonstrated.
While the first two earned $30,000 each for their zero-day exploits, Pham made only $15,000 due to a bug collision.
A fully patched Windows 11 system was hacked again at Pwn2Own, with Thomas Imbert (@masthoon) of Synacktiv (@Synacktiv) earning $30,000 for a Use-After-Free (UAF) bug.
Finally, the team at STAR Labs (@starlabs_sg) used an uninitialized variable and UAF exploit chain against VMWare Workstation for a $80,000 bounty.
On day one, Pwn2Own Vancouver 2023 participants earned $375,000 and a Tesla Model 3 after demonstrating 12 zero-days in the Tesla Model 3, Windows 11, Microsoft SharePoint, Oracle VirtualBox and macOS.
On day two, competitors received $475,000 after exploiting 10 zero-days across multiple products including Windows 11, Tesla, Ubuntu, and macOS.
This brings the grand total to $1,035,000 and a car that was recognized for 27 zero-day exploits demonstrated over the three days of this year’s Pwn2Own Vancouver 2023 competition.
The winners of the competition are Synacktiv, who received $530,000 and a Tesla Model 3 car for their exploits.
At Pwn2Own Vancouver 2023, security researchers focused on software across multiple categories, including automotive, enterprise applications and communications, servers, virtualization, and local escalation of privileges (EoP).
“At this year’s event, each round will pay full prize, which means if all exploits are successful, we will award over $1,000,000,” he said.
Vendors have 90 days to patch the zero-day bugs demonstrated and disclosed during Pwn2Own before Trend Micro’s Zero-Day Initiative publicly announces technical details.
At last year’s Pwn2Own Vancouver hacking competition, researchers were awarded $1,155,000 after hacking the Tesla Model 3 infotainment system and crippling Windows 11, Microsoft Teams, and Ubuntu Desktop with multiple zero-day bugs and exploit chains.