Oct 26 2023

PWN2OWN TORONTO 2023 DAY 1 – ORGANIZERS AWARDED $438,750 IN PRIZES

Category: HackingDISC @ 7:13 am
Pwn2Own Toronto 2023 Day 1 – organizers awarded $438,750 in prizes

During the Day 1 of the Pwn2Own Toronto 2023 hacking contest, the organization has awarded a total of $438,750 in prizes!

Team Orca of Sea Security received the greatest rewards of the day, the researchers chained two issues using an OOB Read and UAF against the Sonos Era 100. They earned $60,000 and 6 Master of Pwn points.

Researchers from Pentest Limited demonstrated an Improper Input Validation against the Samsung Galaxy S23. They earned $50,000 and 5 Master of Pwn points.

The team STAR Labs SG exploited a permissive list of allowed inputs against the Samsung Galaxy S23 and earned $25,000 and 5 Master of Pwn points.

Pentest Limited also earned $40,000 and 4 Master of Pwn points by executing a 2-bug chain against the My Cloud Pro Series PR4100 using a DoS and server-side request forgery (SSRF).

Team Viettel demonstrated a single-bug attack against the Xiaomi 13 Pro and earned $40,000 and 4 Master of Pwn points.

Team ECQ also earned $40,000 and 4 Master of Pwn points by executing a 3-bug chain using an SSRF and two injection vulnerabilities against the QNAP TS-464.

Binary Factory and Synacktiv demonstrated working attacks against the Synology BC500 and earned $30,000 and 3 Master of Pwn points and $15,000 and 3 Master of Pwn points respectively.

Compass Security also executed a stack overflow attack against the Synology BC500, but the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

Other successful attacks were demonstrated against Canon imageCLASS MF753Cdw and Lexmark CX331adwe.

Below is the leaderboard after Pwn2Own Toronto 2023 Day 1.

https://x.com/thezdi/status/1717319411688747052?s=20

Tags: pwn2own

Mar 25 2023

Pwn2Own Vancouver 2023 awarded $1,035,000 and a Tesla for 27 0-days

Category: HackingDISC @ 11:24 am
Pwn2Own Vancouver 2023 awarded $1,035,000 and a Tesla for 27 0-days

On the third day of the Pwn2Own Vancouver 2023 hacking contest, the organization awarded $185,000 for 10 zero-day exploits.

Pwn2Own Vancouver 2023 is ended, contestants disclosed 27 unique zero-days and the organization awarded a total of $1,035,000 and a Tesla Model 3. The team Synacktiv (@Synacktiv) (Benoist-Vanderbeken, David Berard, Vincent Dehors, Tanguy Dubroca, Thomas Bouzerar, and Thomas Imbert) won the competition, they earned 53 points, $530,000, and a Tesla Model 3.

On the third day, contestants were awarded $185,000 after demonstrating 5 zero-day exploits targeting the Ubuntu Desktop, Windows 11, and the VMware Workstation software.

Pwn2Own Vancouver 2023

The day began with the hack of Ubuntu Desktop by Kyle Zeng from ASU SEFCOM, he used a double-free bug and earned $30,000 and 3 Master of Pwn points.

Thomas Imbert (@masthoon) from Synacktiv (@Synacktiv) used a UAF against Microsoft Windows 11. They earn $30,000 and 3 Master of Pwn points.

The researchers Mingi Cho of Theori used a UAF against Ubuntu Desktop, the team earned $30,000 and 3 Master of Pwn points.

The STAR Labs (@starlabs_sg) team used an uninitialized variable and UAF to hack the VMWare Workstation virtualization software. They earned $80,000 and 8 Master of Pwn points. The STAR Labs team also attempted to demonstrate an exploit against Microsoft Teams, but failed to do it within the time allotted.

Bien Pham (@bienpnn) from Qrious Security successfully targeted Ubuntu Desktop, but used a known exploit, for this reason, the attempt was classified as “Collision”. The team earned $15,000 and 1.5 Master of Pwn points.

“That’s a wrap for Pwn2Own Vancouver! Contestants disclosed 27 unique zero-days and won a combined $1,035,000 (and a car)! Congratulations to the Masters of Pwn, Synacktiv (@Synacktiv), for their huge success and hard work! They earned 53 points, $530,000, and a Tesla Model 3.” reads the wrap for the hacking competition that was published by The Zero Day Initiative.

Tags: pwn2own

Mar 24 2023

Hacking contest Pwn2Own: Ubuntu, Tesla, macOs and Windows 11 cracked

Category: Hacking,Information SecurityDISC @ 7:08 am

It is the third day of the PWN2OWN VANCOUVER 2023 hacking contest. So far, security researchers managed to crack the operating systems Ubuntu, macOS and Windows 11, and other products, including Tesla cars and Adobe Reader.

Security researchers who managed to hack their targets win price money and the hacked devices, even if it is a Tesla.

Six of the eight hacks on day one were successful, a seventh was also successful, but it used an exploit that was known previously. Only one attempt failed to hack the target in time.

Here is the day one overview:

  • AbdulAziz Hariri of Haboob SA used a 6-bug logic chain exploiting multiple failed patches against Adobe Reader to escape the application’s sandbox and bypass a banned API list.
  • STAR Labs hacked Microsoft SharePoint successfully, using a 2-bug chain attack.
  • Bien Pham from Qrious Security exploited Oracle VirtualBox successfully using an OOB Read and a stacked-based buffer overflow.
  • Synacktiv successfully hacked a Tesla Model 3. They executed a TOCTOU (Time-of-Check-to-Time-of-Use) attack against Tesla – Gateway.
  • Marcin Wi?zowski managed to elevate privileges on Microsoft’s Windows 11 operating system using an improper input validation bug.
  • Synacktiv was able to escalate privileges on Apple macOS using a TOCTOU bug.
  • STAR Labs used an already known exploit to successfully hack Ubuntu Desktop.
  • last_minute_pwnie fafiled to get an Ubuntu exploit working.

A total price money of $375,000 was awarded to the successful researchers and teams. The Tesla Model 3 changed owner as well.

On day two, security researchers managed to hack Oracle VirtualBox, Microsoft Teams, another Tesla, and Ubuntu Desktop.

Here is the day two overview:

  • Thomas Imbert  and Thomas Bouzerar  from Synacktiv used a 3-bug chain against Oracle VirtualBox with a Host EoP.
  • Team Viettel hacked Microsoft Teams successfully using a 2-bug chain.
  • David Berard and Vincent Dehors from Synacktiv managed to get an exploit working that gave them unconfined root access in a Tesla. They used heap overflow and an OOB write for that.
  • dungdm of Team Viettel exploited Oracle VirtualBox using an uninitialized variable and a UAF bug.
  • Tanguy Dubroca from Synacktiv managed to escalate privilege on Ubuntu Desktop using an incorrect pointer scaling.

The researchers received $475,000 in price money on the second day.

Attacks against Ubuntu Desktop, Microsoft Teams, Microsoft Windows 11, and VMWare Workstation are planned for the third and final day of the hacking competition.

Additional information about the successful hacks and exploits have not been released to the public.  Companies whose products have been exploited will create security patches to protect their devices and applications from potential attacks targeting the bugs.

Expect security updates for all hacked products in the coming days and weeks.

https://allinfosecnews.com/item/hacking-contest-pwn2own-ubuntu-tesla-macos-and-windows-11-cracked-2023-03-24/

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: pwn2own

May 19 2022

Pwn2Own Vancouver 2022 D1: MS Teams exploits received $450,000

Category: HackingDISC @ 9:52 am
Pwn2Own Vancouver 2022 D1: MS Teams exploits received $450,000

White hat hackers earned a total of $800,000 on the first day of the Pwn2Own Vancouver 2022, $450,000 for exploits targeting Microsoft Teams.

Pwn2Own Vancouver 2022 hacking contest has begun, it is the 15th edition of this important event organized by Trend Micro’s Zero Day Initiative (ZDI). This year, 17 contestants are attempting to exploit 21 targets across multiple categories.

During the first day of the event, white hat hackers earned a total of $800,000, a record for the first day of this contest, including $450,000 for successful exploits targeting Microsoft Teams.

All the attempts made during the first day were successful, the participants explored a total of 16 flaws affecting Microsoft Teams, Oracle VirtualBox, Firefox, Windows 11, Ubuntu, and Safari.

Pwn2Own Vancouver 2022

Below is the list of hacking attempts against Microsoft Teams:

  • SUCCESS â€“ Hector “p3rr0” Peralta was able to demonstrate an improper configuration against Microsoft Teams. He earns $150,000 and 15 Master of Pwn points.
  • SUCCESS â€“ Masato Kinugawa was able to execute a 3-bug chain of injection, misconfiguraton and sandbox escape against Microsoft Teams, earning $150,000 and 15 Master of Pwn points.
  • SUCCESS â€“ Daniel Lim Wee Soong (@daniellimws, Poh Jia Hao (@Chocologicall), Li Jiantao (@CurseRed) & Ngo Wei Lin (@Creastery of STAR Labs successfully demonstrated their zero-click exploit of 2 bugs (injection and arbitrary file write) on Microsoft Teams. They earn $150,000 and 15 Master of Pwn points.

Manfred Paul (@_manfp) successfully demonstrated the exploitation of prototype pollution and improper input validation on Mozilla Firefox. Paul earned $100,000 and 10 Master of Pwn points.

Paul also exploited an out-of-band write issue on Apple Safari and earned $50,000 and 5 additional Master of Pwn points.

The remaining exploits received a $40,000.

Windows 11 hacked again at Pwn2Own, Telsa Model 3 also falls

Pwn2Own Vancouver 2022 – Keith Yeo vs Ubuntu Desktop

Pwn2Own Vancouver 2022 – Drawing for Order

Pwn2Own Vancouver 2022 – TUTELARY vs Ubuntu Desktop

Pwn2Own Vancouver 2022 – Synacktiv vs Tesla

Tags: pwn2own, Pwn2Own Vancouver 2022

Nov 06 2020

Pwn2Own Tokyo Day one: NETGEAR Router, WD NAS Device hacked

Category: cyber security,Hacking,Information SecurityDISC @ 11:30 am

Pwn2Own Tokyo 2020 hacking competition is started, bug bounty hunters already hacked a NETGEAR router and a Western Digital NAS devices.

The Pwn2Own Tokyo is actually coordinated by Zero Day Initiative from Toronto, Canada, and white hat hackers taking part in the competition have to demonstrate their ability to find and exploit vulnerabilities in a broad range of devices.

On the day one of the competition, bug bounty hunters have successfully hacked a vulnerability in the NETGEAR Nighthawk R7800 router. The participants were the Team Black Coffee, Team Flashback, and teams from cybersecurity firms Starlabs and Trapa Security, and the Team Flashback earned $20,000 for a remote code execution exploit that resulting from the chaining of two bugs in the WAN interface.

“The team combined an auth bypass bug and a command injection bug to gain root on the system. They win $20,000 and 2 points towards Master of Pwn.” reads the post on the official site of the Pwn2Own Tokyo 2020.
The Trapa team successfully chained a pair of bugs to gain code execution on the LAN interface of the router, the experts earned $5,000 and 1 point towards Master of Pwn.

The STARLabs team earned the same amount after using a command injection flaw to take control of the device.

The Western Digital My Cloud Pro series PR4100 NSA device was targeted by The Trapa Security team also earned $20,000 for a working exploit for the Western Digital My Cloud Pro series PR4100 NSA device.

The exploit code chained an authentication bypass bug and a command injection vulnerability to gain root on the device.

Source: Pwn2Own Tokyo Day one: NETGEAR Router, WD NAS Device hacked



Pwn2Own Tokyo (Live from Toronto) 2020 – Day One
httpv://www.youtube.com/watch?v=jX0b8iKXnbI&ab_channel=ZeroDayInitiative




Tags: pwn2own, Pwn2Own Tokyo