Researchers have received $400,000 for 26 distinct 0-day flaws in the Toronto Pwn2Own hacking competition.
Followed by Day 1 of the event, Samsung Galaxy was successfully used in two SOHO Smashup demonstrations and was exploited twice.
Pwn2Own Day 2
In the NAS category, Luca MORO was successful in using their Classic Buffer Overflow attack against the WD My Cloud Pro Series PR4100. $40K and 4 Master of Pwn points are theirs to keep.
On the first try of Day 2, ANHTUD Information Security Department was successful in running exploits against 2 flaws, one of which was a stack-based buffer overflow, on an HP Color LaserJet Pro M479fdw in the Printer class. $10K and 2 Master of Pwn points are theirs to keep.
Aleksei Stafeev successfully launched an attack on the Lexmark MC3224i in the Printer category for his final try of the evening using a special command injection and another flaw discovered earlier in the competition. 7.5K dollars and 1.5 Master of Pwn points are awarded.
SOHO Smashup Category
In the first SOHO SMASHUP challenge, Bugscale successfully launched an attack using one new bug and another known bug against the Synology router and HP printer. They receive 7.5 Master of Pwn points as well as $37,500.
Smart Speaker Category
The Sonos One Speaker in the Smart Speaker category was the target of an attack carried out by Toan Pham and Tri Dang from Qrious Secure exploiting 2 flaws. 60K and 6 Master of Pwn points are theirs.
With the help of one unique flaw and another previously identified bug, STAR Labs was successful in launching an attack against the Sonos One Speaker in the Smart Speaker category. They receive 4.5 Master of Pwn points and $22,500.
The NETGEAR RAX30 AX2400 was vulnerable to two attacks that PHPHooligans were able to run against the WAN interface. The tricks they employed, meanwhile, had already been used in the competition. Still, they receive $10,000 and one Master of Pwn point.
Using one special defect and another N-day, NCC Group EDG was able to successfully launch an attack against the WAN interface of the NETGEAR RAX30 AX2400 in the router category. 7.5K dollars and 1.5 Master of Pwn points are awarded.
Mobile Phone Category
Interrupt Labs was successful in using its faulty input validation attack against the Samsung Galaxy S22. They receive 5 Master of Pwn points and $25K.
“This event is going to be our largest ever, with 26 teams attempting 66 exploits against various targets,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in an interview.
Notably, participants at the Miami event in April received US$400,000 for successfully displaying 26 exploits and bug collisions. Participants in Vancouver received US$1.15 million in May for demonstrating 25 original zero-day exploits.
Penetration Testing As a Service – Download Red Team & Blue Team Workspace