These are the results of Pwn2Own 2024

Darkcrizt

5 minutes

Pwn2Own 2024

Privilege escalation on Ubuntu desktop

Recently The results of the two days of “Pwn2Own 2024” competitions were announced, which is held annually as part of the CanSecWest conference in Vancouver and during the event, exploitation demonstrations were presented of previously unknown vulnerabilities in systems such as Ubuntu, Windows, Docker, Oracle VirtualBox, VMWare Workstation, Adobe Reader, Firefox, Chrome, Edge and Tesla.

In total, 23 attacks were successfully executed, taking advantage of 29 unknown vulnerabilities until then, and the total amount of rewards paid amounted to $1,132,500, including an additional prize of a Tesla Model 3 for hacking a Tesla vehicle. The total rewards distributed in the last three Pwn2Own competitions reached $3,494,750 and the team with the highest score received a prize of $202,000.

Pwn2Own 2024

Leaderboard Pwn2Own 2024

Of the attempted attacks that were carried out andOn both days of Pwn2Own 2024, mention is made four successful attacks on Ubuntu, which allowed an unprivileged user to gain root rights. These attacks took advantage of vulnerabilities caused by race conditions and buffer overflows. The prizes awarded were 20 thousand dollars, 10 thousand dollars and two prizes of 5 thousand dollars each.

Another demonstration attack was in Firefox, which managed to bypass sandbox isolation and allowed code to be executed on the system by opening a specially designed page. This attack won a prize of 100 thousand dollars and the vulnerability was due to a bug that allowed data to be read and written outside the buffer limit assigned for a JavaScript object, as well as replacing an event handler on a privileged JavaScript object. Mozilla quickly responded with the Firefox 124.0.1 update to address these issues.

Four attacks on Chrome that allowed code to be executed on the system when opening a specially designed page. The prizes were 85 thousand dollars, 60 thousand dollars and two prizes of 42,5 thousand dollars each. These vulnerabilities were due to memory access after freed and out-of-buffer reads, as well as incorrect input validation. Additionally, these exploits are universal and work on both Chrome and Edge.

An attack on Safari (Apple web browser) that allowed code to be executed on the system by opening a specially designed page, with a prize of 60 thousand dollars. The vulnerability in Safari was caused by an integer overflow.

Four attacks on VirtualBox that allowed the guest system to exit and execute code on the host side. The prizes were 90 thousand dollars and three prizes of 20 thousand dollars each. These attacks were based on vulnerabilities caused by buffer overflows, race conditions, and memory access after being freed.

An attack on Docker that allowed an isolated container to escape, with a prize of 60 thousand dollars. The vulnerability was due to a memory access after being freed.

Two attacks on VMWare Workstation that allowed logging out of the guest system and running code on the host side. The attacks exploited a memory access after free, a buffer overflow, and an uninitialized variable. The prizes were 30 thousand dollars and 130 thousand dollars.

Five attacks on Microsoft Windows 11 that allowed privileges to be increased. The prizes were three of 15 thousand dollars and one of 30 thousand dollars, with an additional 7.500 dollars each. These vulnerabilities were due to race conditions, integer overflows, incorrect reference counting, and incorrect input validation.

Besides that, The following security incidents were reported:

  • An attack that allowed code execution when processing content in Adobe Reader, with a prize of $50 thousand. The exploited vulnerability allowed API restrictions to be bypassed and a bug to be used to substitute commands.
  • An attack on the information system of a Tesla car, using manipulation of the CAN BUS bus to achieve an integer overflow and access the ECU (electronic control unit). This incident resulted in an award of $200 and a Tesla Model 3 car.
  • It is mentioned that attempts to hack Microsoft SharePoint and VMware ESXi were unsuccessful.

The exact details of the problems have not been revealed yet. Under the terms of the contest, detailed information on all demonstrated Zero day vulnerabilities will be published after 90 days. This period is given to manufacturers to prepare updates that address and eliminate identified vulnerabilities.

If you are interested in knowing more about it, you can check the details in the following link.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.