Recently they made themselves known through a blog post results of the three days of the Pwn2Own 2022 competition, which is held annually as part of the CanSecWest conference.
In this year's edition techniques have been demonstrated to work to exploit vulnerabilities previously unknown for Ubuntu Desktop, Virtualbox, Safari, Windows 11, Microsoft Teams and Firefox. In total, 25 successful attacks were demonstrated and three attempts ended in failure. The attacks used the latest stable versions of applications, browsers and operating systems with all available updates and in default settings. The total amount of remuneration paid was US$1.155.000.
Pwn2Own Vancouver by 2022 is underway, and the contest's 15th anniversary has already seen some incredible research on display. Stay tuned to this blog for updated results, images, and videos from the event. We'll post it all here, including the latest Master of Pwn leaderboard.
competition demonstrated five successful attempts to exploit previously unknown vulnerabilities in Ubuntu Desktop, made by different teams of participants.
was awarded a $40,000 award for demonstrating local privilege escalation in Ubuntu Desktop by exploiting two buffer overflow and double release issues. Four bonuses, worth $40,000 each, were paid for demonstrating privilege escalation by exploiting vulnerabilities related to memory access after it was released (Use-After-Free).
SUCCESS – Keith Yeo ( @kyeojy ) won $40K and 4 Master of Pwn points for a Use-After-Free exploit on Ubuntu Desktop.
Which components of the problem are not yet reported, according to the terms of the competition, detailed information on all demonstrated 0-day vulnerabilities will be published only after 90 days, which are given for the preparation of updates by manufacturers to remove vulnerabilities.
SUCCESS – In the final attempt on Day 2, Zhenpeng Lin (@Markak_), Yueqi Chen (@Lewis_Chen_), and Xinyu Xing (@xingxinyu) from Northwestern University's TUTELARY team successfully demonstrated a Use After Free bug that led to privilege elevation in Ubuntu Desktop. This nets you $40,000 and 4 Master of Pwn points.
Team Orca of Sea Security (security.sea.com) was able to run 2 bugs on Ubuntu Desktop: an Out-of-Bounds Write (OOBW) and Use-After-Free (UAF), earning $40,000 and 4 Master of Pwn Points.
SUCCESS: Team Orca of Sea Security (security.sea.com) was able to run 2 bugs on Ubuntu Desktop: an Out-of-Bounds Write (OOBW) and Use-After-Free (UAF), winning $40,000 and 4 Master of Pwn points.
Of the other attacks that could be carried out successfully, we can mention the following:
- 100 thousand dollars for the development of an exploit for Firefox, which allowed, by opening a specially designed page, to circumvent the isolation of the sandbox and execute code in the system.
- $40,000 for demonstrating an exploit that takes advantage of a buffer overflow in Oracle Virtualbox to log out a guest.
- $50,000 for running Apple Safari (buffer overflow).
- $450,000 for Microsoft Teams hacks (different teams demonstrated three hacks with a reward of
- $150,000 each).
- $80,000 (two $40,000 bonuses) to take advantage of buffer overflows and privilege escalation in Microsoft Windows 11.
- $80,000 (two $40,000 bonuses) to exploit a bug in the access verification code to elevate your privileges in Microsoft Windows 11.
- $40k to exploit integer overflow to elevate your privileges in Microsoft Windows 11.
- $40,000 for exploiting a Use-After-Free vulnerability in Microsoft Windows 11.
- $75,000 for demonstrating an attack on the infotainment system of a Tesla Model 3 car. The exploit used buffer overflow and free double bugs, along with a previously known sandbox bypass technique.
Last but not least, it is mentioned that in the two days of competition the failures that occurred despite the three hacking attempts allowed, are the following: Microsoft Windows 11 (6 successful hacks and 1 failed), Tesla (1 hack successful and 1 failed) and Microsoft Teams (3 successful hacks and 1 failed). There were no requests to demonstrate exploits in Google Chrome this year.
Finally if you are interested in knowing more about it, You can check the details in the original post at the following link.