Tag Archive for: PWN2OWN

Security Researchers Win Second Tesla At Pwn2Own


A team of French security researchers have won a Tesla Model 3 and $200,000 after finding a zero-day vulnerability in a vehicle’s electronic control unit (ECU).

The Synacktiv team were at the top of the leaderboard after one day of Pwn2Own Vancouver 2024, the latest hacking contest held by Trend Micro’s Zero Day Initiative (ZDI).

Little is known about the vulnerability, as all bugs discovered during the course of the competition are responsibly disclosed to the relevant vendor for patching. However, what we do know is that Synacktiv used a single integer overflow flaw to exploit a Tesla ECU with Vehicle (VEH) CAN BUS Control. This is the second car they’ve won in Pwn2Own competitions.

Read more on Pwn2Own: Pwn2Own Contest Unearths Dozens of Zero-Day Vulnerabilities

Day one of the contest saw the ZDI hand out $732,500 for 19 unique zero-day vulnerabilities, which will ultimately help the vendors participating in the competition make their products more secure.

Other highlights included Manfred Paul, who was awarded a total of $102,500 on the day after achieving remote code execution (RCE) on Apple Safari with an integer underflow bug and demonstrating a PAC bypass using a weakness in the same browser.

In round two of the contest, he executed a double-tap exploit on both Chrome and Edge browsers with a rare CWE-1284 “improper validation of specified quantity in input” vulnerability.

Just behind Paul on the Pwn2Own leaderboard is South Korean Team Theori, which earned $130,000 after combining an uninitialized variable bug, a use-after-free (UAF) vulnerability and a heap-based buffer overflow to escape a VMware Workstation and then execute code as system on the host Windows OS.

Competitors in Vancouver yesterday also received prize money for finding zero-days in Adobe Reader, Windows 11, Ubuntu Linux and Oracle VirtualBox.

A total of $1.3m is up for grabs in cash and prizes across the three-day event.

Image credit: canadianPhotographer56 / Shutterstock.com

Source…

Over $1 Million Awarded To Hackers In Pwn2Own Toronto


Pwn2Own, the annual computer hacking contest that concluded in Toronto, Canada, on October 27, 2023, saw security researchers earning $1,038,500 for 58 unique zero-day exploits (and multiple bug collisions).

The four-day hacking event was held between October 24, 2023, and October 27, 2023, with prize money to be won over $1,000,000 USD and other forms of prizes available for contestants.

The hacking event had multiple categories for the security researchers to target in the competition, which included printers, surveillance systems, network-attached storage (NAS) devices, mobile phones, home automation hubs, smart speakers, and Google’s Pixel Watch and Chromecast devices.

The hacking contest saw the Samsung Galaxy S23 being successfully hacked four times by the teams of Pentest Ltd, STAR Labs SG, Interrupt Labs, and ToChim. While Pentest Ltd and Interrupt Labs were able to execute an Improper Input Validation against the Samsung Galaxy S23, STAR Labs SG and ToChim were able to exploit a permissive list of allowed inputs against the smartphone.

Further, the exploitation of Samsung Galaxy S23 earned the Pentest Ltd and Interrupt Labs teams a reward of $50,000 and $25,000, respectively, and 5 Master of Pwn points, while the STAR Labs SG and ToChim teams got $25,000 and 5 Master of Pwn points each for their exploits.

Other Highlights:

  • Chris Anastasio was able to exploit a bug in the TP-Link Omada Gigabit Router and another in the Lexmark CX331adwe for $100,000
  • Team Orca of Sea Security executed a 2-bug chain using an OOB Read and UAF against the Sonos Era 100 for $60,000
  • A DEVCORE Intern executed a stack overflow attack against the TP-Link Omada Gigabit Router and exploited two bugs in the QNAP TS-464 for $50,000
  • Team Viettel was able to execute a heap-based buffer overflow and a stack-based buffer overflow against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup for $50,000
  • Xiaomi, Western Digital, Synology, Canon, Lexmark, Sonos, TP-Link, QNAP, Wyze, Lexmark, and HP were all exploited during the competition

The overall Master of Pwn winner was Team Viettel, with 30 Master of Pwn points, winning $180,000. They were followed on the…

Source…

Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own


Latvian network equipment manufacturer MikroTik has shipped a patch for a major security defect in its RouterOS product and confirmed the vulnerability was exploited five months ago at the Pwn2Own Toronto hacking contest.

In a barebones advisory documenting the CVE-2023-32154 flaw, Mikrotik confirmed the issue affects devices running MikroTik RouterOS versions v6.xx and v7.xx with enabled IPv6 advertisement receiver functionality. 

According to ZDI, organizers of the Pwn2Own software exploitation event, the vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. 

“Authentication is not required to exploit this vulnerability,” ZDI warned in an advisory.

“The specific flaw exists within the Router Advertisement Daemon. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root,” the company said.

The Pwn2Own organizers decided to go public with an advisory prior to the availability of patches after waiting five months for MikroTik to acknowledge and fix the already-exploited security flaw.

ZDI said it reported the issue to MikroTik during the event last December and asked again for an update in May this year, five months later. On May 10, ZDI said it “re-disclosed the report at the vendor’s request” and gave the company an extra week to provide fixes.

Advertisement. Scroll to continue reading.

In its response, MikroTik said it cannot find a record of the December disclosure from ZDI and that it was not present at the Toronto event in December to discuss the exploit.

Security defects in MikroTik routers have featured in the CISA must-patch list and have been used in the past to build malicious botnets.

Related: Microsoft Releases Open Source Tool for Securing MikroTik Routers

Related: CISA Adds Exploited Mikrotik Flaws to ‘Must-Patch’ List

Related: MikroTik Confirms Mēris Botnet Targets Routers

Related: Tesla Hacked Twice at Pwn2Own Exploit Contest

Source…

Windows, macOS, and Tesla exploits debuted at Pwn2Own hacking contest


Security researchers have successfully exploited zero-day vulnerabilities found in macOS, Windows, and Tesla software at the Zero Day Initiative’s Pwn2Own conference.  

Day one of the 2023 competition, hosted in Vancouver, saw 12 unique zero-day vulnerabilities exploited in Microsoft SharePoint, Windows 11, Adobe Reader, Oracle VirtualBox, Tesla Gateway, and macOS.  

Abdul Aziz Hariri of security firm Haboob successfully exploited vulnerabilities in Adobe Reader. Hariri used a six-bug chained exploit to escape the Adobe sandbox and circumvent APIs on macOS, earning a $50,000 prize in the process.  

A key talking point on day one of Pwn2Own came when STAR Labs successfully executed a chained exploit against Microsoft SharePoint. The team also hacked Ubuntu Desktop with a previously known vulnerability which saw them scoop a combined prize of $115,000. 

Synacktiv secured a $140,000 prize haul – and a Tesla Model 3 – after hacking Apple’s macOS kernel through an elevation of privilege attack as well as a successful vulnerability exploit of Tesla Gateway. This attack saw the team execute a time-of-check to time-of-use (TOCTOU) attack against the Gateway.

Tesla’s Gateway is a system in its Powerwall product which controls a vehicle’s connection to the grid. The Gateway automatically detects outages and provides a “seamless transition” to backup power in the event of an outage.  

This isn’t the first time Tesla Gateway has been exploited successfully. In 2020, researchers at security firm Rapid7 highlighted security risks due to the Gateway’s connection to the internet.  

Meanwhile, security researcher Marcin Wiazowski used an improper input validation bug to elevate privileges on Windows 11 which saw him secure a $30,000 prize. 

Bien Pham rounded off the first day with a successful exploit against Oracle VirtualBox, earning a prize of $40,000.  

More to come at Pwn2Own 

The annual competition saw $375,000 in prizes awarded over the course of day one, with Justin Childs, head of threat awareness at the Zero Day Initiative, stating that the contest is “well on its way to a million dollars”.  

Last year’s contest saw researchers take home more than $1.1 million in…

Source…