Microsoft Teams, Virtualbox, Tesla Zero-Days Exploited –  Pwn2Own Day Two

In Cybersecurity News - Original News Source is by Blog Writer

Post Sharing

At Pwn2Own Vancouver 2023 Day 2, for 10 unique zero-day exploits, the participants received $475,000 of cash prizes.

The Tesla Model 3, the Microsoft Teams communication platform, the Oracle VirtualBox virtualization platform, and the Ubuntu Desktop operating system were all on the list of targets that were hacked.

Thomas Imbert made the first demonstration (@masthoon), and Thomas Bouzerar (@MajorTomSec) of Synacktiv (@Synacktiv), showed a three-bug chain against Oracle VirtualBox, with a host EoP. 

There was already one bug in existence. In addition, they receive 8 Master of Pwn points and $80,000.

Microsoft Teams was also hacked by Team Viettel (@vcslab) using a 2-bug chain, earning them $75,000 and 8 Master of Pwn points.

Tesla – Infotainment David Berard exploited unconfined Root (@ p0ly_) and Vincent Dehors (@vdehors) of Synacktiv (@Synacktiv) via a heap overflow and an OOB write. After collecting $250,000 and 25 Master of Pwn points, they are eligible for a Tier 2 reward.

Oracle VirtualBox was exploited by dungdm (@ piers2) of Team Viettel (@vcslab) using an uninitialized variable and a UAF flaw. They get $40,000 and 4 Master of Pwn points.

In the Ubuntu Desktop, Tanguy Dubroca (@SidewayRE) of Synacktiv (@Synacktiv) employed an incorrect pointer scaling, leading to privilege escalation. $30k and 3 Master of Pwn points are theirs to keep.

From March 22 and March 24, participants in Pwn2Own Vancouver 2023 can win $1,080,000 in cash and two Tesla Model 3 cars.

During the competition, researchers will focus on products from various categories, such as enterprise applications, enterprise communications, servers, virtualization, automotive, and local escalation of privilege (EoP).

“This year’s event promises some exciting research as we have 19 entries targeting nine different targets – including two Tesla attempts”, says ZDI.

“For this year’s event, every round will pay full price, which means if all exploits succeed, we’ll award over $1,000,000 USD”.

Building Your Malware Defense Strategy – Download Free E-Book

Previous Coverage