Pwn2Own 2023 contestants won more than $1 million by exploiting 27 zero-day flaws in three days
Hackers and security researchers shined during the hack festBy Alfonso Maruccia
What just happened? This year's Pwn2Own hacking contest in Vancouver awarded more than 1 million dollars to researchers for discovering and exploiting many previously unknown zero-day security vulnerabilities. Over half that money went to a single team.
Pwn2Own is an annual hacking contest organized by Trend Micro's Zero Day Initiative (ZDI) during the CanSecWest security conference in Vancouver. Every year, security researchers and code experts join the digital fray hoping to score big and win some of the bountiful cash prizes provided by ZDI. Five teams of security experts exposed several hacks in popular software and technology products this year.
By the end of the three-day event, contestants had disclosed 27 unique zero-day vulnerabilities splitting a combined $1,035,000 (and the hacked car). The "Masters of Pwn" title went to penetration testing firm Synacktiv team, which earned 53 Master of Pwn points, $530,000, and the Tesla Model 3.
Synacktiv took a commanding lead on day one when its team compromised a Tesla Model 3 and escaped access privileges on macOS. On day two, Synacktiv further solidified its lead by demonstrating a heap overflow and an OOB write zero-day exploit chain against the Tesla Infotainment system.
Synacktiv code breakers Thomas Imbert and Thomas Bouzerar were also able to demonstrate a three-bug chain to escalate privileges on Oracle VirtualBox worth $80,000. Tanguy Dubroca earned $30,000 for a successful privilege escalation demo on Ubuntu Desktop. At the end of day three, Thomas Imbert grabbed another $30,000 for successfully compromising a fully-patched Windows 11 system with a Use-After-Free zero-day bug.
Star Labs came in a distant second, winning $195,000 and 19.5 MoP points, after exploiting zero-day flaws in Microsoft SharePoint and VMWare Workstation, plus a previously known collision on Ubuntu Desktop. Team Viettel got third place, taking home $115,000 and earning 12 MoP points by hacking Microsoft Teams and Oracle VirtualBox. Qrious Security and lone researcher AbdulAziz Hariri closed the contest in fourth and fifth place with $55,000 (5.5 points) and $50,000 (5 points) awards, respectively.
Zero Day Initiative will now provide the details for all the 27 zero-day vulnerabilities demoed during Pwn2Own 2023 to their respective software vendors. Companies will have 90 days to fix the flaws and release their security patches before ZDI publicly discloses them, regardless of patch availability.