Pwn2Own Vancouver 2024 is complete! Over the 2 day event, we awarded $1,132,500 for 29 0-days. Join
@dustin_childs
and
@MaliciousInput
as they cover some of the highlights, including Master of Pwn winner
@_manfp
exploiting all 4 web browsers in the event.
That's a wrap! Congrats to
@fluoroacetate
on winning Master of Pwn. There total was $375,000 (plus a vehicle) for the week. Superb work from this great duo.
Windows
#UAC
isn't a favorite feature, but
@HexKitchen
details a bug submitted by Eduardo Braun Prado that shows how you can use it to escalate from guest to SYSTEM (includes video)
The
@fluoroacetate
duo does it again. They used a type confusion in
#Edge
, a race condition in the kernel, then an out-of-bounds write in
#VMware
to go from a browser in a virtual client to executing code on the host OS. They earn $130K plus 13 Master of Pwn points.
Confirmed! Valentina Palmiotti (
@chompie1337
) with IBM X-Force used an Improper Update of Reference Count bug to escalate privileges on Windows 11. She nailed her first
#Pwn2Own
event and walks away with $15,000 and 3 Master of Pwn points.
CONFIRMED!
@Synacktiv
successfully executed a TOCTOU exploit against Tesla – Gateway. They earn $100,000 as well as 10 Master of Pwn points and this Tesla Model 3.
#Pwn2Own
#P2OVancouver
Confirmed!
@5aelo
used a JIT optimization bug in the browser, a macOS logic bug, & a kernel overwrite to execute code to successfully exploit Apple Safari. This chain earned him $65K & 6 points Master of Pwn points.
CONFIRMED!
@Synacktiv
used a heap overflow & an OOB write to exploit the Infotainment system on the Tesla. When they gave us the details, we determined they actually qualified for a Tier 2 award! They win $250,000 and 25 Master of Pwn points. 1st ever Tier 2 award. Stellar work!
Confirmed! The Devcore team used an authentication bypass and a privilege escalation to take over the
#Exchange
server. They win the full $200,000 and 20 Master of Pwn points.
While
@bl4sty
only scored a COLLISION (non-unique bug) - Peter definitely gets a boatload of STYLE POINTS for this hack on a Canon printer @
#P2OToronto
#Pwn2Own
Success! OV was able to demonstrate his exploit of
#Microsoft
#Teams
. They're off to the disclosure room with the details. If confirmed, it will be worth $200,000 USD and 20 Master of Pwn points.
Congrats to
@RZ_fluorescence
on being named Master of Pwn for
#Pwn2Own
2018! His exploits for Edge and Firefox earned him $120,000, this sweet jacket, and the trophy. We hope he returns in the future to defend his title.
Confirmed!
@fluoroacetate
leveraged a race condition leading to an out-of-bounds write to escalate from a
#VMware
client to execute code on the host OS. The effort brings them another $70,000 and 7 more Master of Pwn points. Their Day 1 total is $160,000 USD.
Confirmed!!! The
@Synacktiv
team used a single integer overflow to exploit the
#Tesla
ECU with Vehicle (VEH) CAN BUS Control. The win $200,000, 20 Master of Pwn points, and a new Tesla Model 3 (their second!). Awesome work as always.
#Pwn2Own
#P2OVancouver
In a new guest blog,
#Pwn2Own
winner
@_manfp
details CVE-2024-2887 - a bug he used to exploit both
#Chrome
and
#Edge
during the contest on his way to winning Master of Pwn. He breaks down the root cause and shows how he exploited it. Read the details at
You've probably heard about the wormable bug in http.sys (CVE-2021-31166) but have you seen what causes it? The Trend Micro Research team provides a detailed root cause analysis of this recently patched
#Windows
http.sys bug.
Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks: A new blog from
@HexKitchen
detailing how a technique first submitted by
@KLINIX5
can change a DoS into an LPE on
#Windows
. See details & source code examples at
Confirmed! The duo of Daan Keuper and Thijs Alkemade from Computest used a 3-bug chain to exploit
#Zoom
messenger with 0 clicks from the target. They win $200,000 and 20 points towards Master of Pwn.
#Pwn2Own
CONFIRMED! Manfred Paul (
@_manfp
) used an OOB Write for the RCE and an exposed dangerous function bug to achieve his sandbox escape of
#Mozilla
#Firefox
. He earns another $100,000 and 10 Master of Pwn points, which puts him in the lead with 25.
#Pwn2Own
Wow. Just wow. Starting from a web browser within a virtual client and ending with code execution on the host OS. Now off to the disclosure room for all the details.
CVE-2021-44142: Details on a
#Samba
remote code execution bug demonstrated at
#Pwn2Own
Austin. An OOB heap read/write vuln was present in versions prior to 4.13.17. Read all the details & patch analysis at
CVE-2024-30043:
@chudyPB
details this
#SharePoint
XXE he discovered. He calls it one of the craziest XXEs he has ever seen, both in terms of vuln discovery and the method of triggering. He shows how it can be used for info disclosure & NTLM relaying.
Wow - with just 10 seconds left of their 2nd attempt, Daan Keuper and Thijs Alkemade were able to demonstrate their code execution via Zoom messenger. 0 clicks were used in the demo. They're off to the disclosure room for details.
#Pwn2Own
That brings
#Pwn2Own
Tokyo 2019 to a close. Congrats to
@fluoroacetate
on successfully defending their Master of Pwn title. In two days, they racked up $195,000 for their research. Congrats!
In a new guest blog,
@orange_8361
provides details on how he used 3 bugs to get code execution on
#Microsoft
#Exchange
during
#Pwn2Own
. He calls it ProxyShell. We call it amazing. Read the details a
Confirmed!
@mwrlabs
leveraged a heap buffer underflow in the browser and an uninitialized stack variable in macOS to exploit
#Safari
and escape the sandbox. In doing so, they earned $55,000 and 5 Master of Pwn points.
Confirmed! The Synacktiv team used a heap overflow to take over the
#Canon
ImageCLASS MF644Cdw printer. In doing so, they win $20,000 and 2 Master of Pwn points.
#Pwn2Own
#P2OAustin
And the Master of Pwn is.....
A tie!
Congrats to Team DEVCORE, OV, and Daan Keuper and Thijs Alkemade. All are considered Master of Pwn and receive Platinum status next year. Thanks again to all who participated. It was an amazing contest, & we couldn't have don it without you.
Detailing CVE-2020-0932 - a now patched RCE bug in
#Microsoft
#SharePoint
reported to us by an anonymous researcher. The blog lays out how code exec is possible using TypeConverters and provides video demonstration and PoC. Read the post at
Success!
@abdhariri
of
@HaboobSa
completed his attack against Adobe Reader using a 6-bug logic chain exploiting multiple failed patches which escaped the sandbox and bypassed a banned API list. He earns $50,000 and 5 Master of Pwn points.
#Pwn2Own
#P2OVancouver
CVE-2020-9697: Info disclosure in
#Adobe
Reader.
PoC:
var a = app.measureDialog(app);
console.println("Escript Base: " + (Math.abs(a[1]) - 0x0044b43).toString(16))
That's a wrap!
#Pwn2Own
Vancouver is complete. Overall, we awarded $1,132,500 for 29 unique 0-days. Congrats to
@_manfp
for winning Master of Pwn with $202,500 and 25 points. Here's the final top 10 list:
Success! Synacktiv was able to execute a heap-based buffer overflow in the kernel triggered via WiFi and leading to RCE against the Wyze Cam v3. They earn $15,000 and 3 Master of Pwn points.
#Pwn2Own
Want to know how to exploit the recently patched
#Microsoft
#Exchange
CVE-2020-0688?
@hexkitchen
provides the details on how to take advantage of the fixed cryptographic keys used during installation.
A deep look at CVE-2020-1181: RCE in
#SharePoint
through Web Parts. An anonymous researcher sent this to us and
#Microsoft
patched it last week. Includes step-by-step PoC.
Introducing
#ProxyToken
, which allows an unauthenticated attacker to modify the configuration of a victim’s mailbox on an
#Exchange
Server. Originally reported to us by Le Xuan Tuyen,
@HexKitchen
details CVE-2021-33766 & shows how it could be exploited.
Confirmed! The
@fluoroacitate
duo used a JIT bug in the renderer to win $35,000 and a Model 3. What a great way to kick off the automotive category of
#Pwn2Own
.
That’s a wrap for
#P2OVancouver
! Contestants disclosed 27 unique 0-days and won a combined $1,035,000 (and a car)! Congratulations to the Masters of Pwn,
@Synacktiv
, for their huge success and hard work! They earned 53 points, $530,000, and a Tesla Model 3.
#Pwn2Own
In our 1st
#Pwn2Own
#AfterDark
entry this evening,
@Synacktiv
used an improper certificate validation and a stack-based buffer overflow to compromise the NETGEAR router via the WAN interface. They earn $20,000 and 2 critical Master of Pwn points.
#P2OAustin
Confirmed! The team of
@fluoroacetate
used an integer overflow in JIT and a heap overflow to escape the sandbox. The successful
#Safari
exploit chain earned them $55,000 and 5 Master of Pwn points.
Confirmed! After plenty of drama -including reworking his exploit live, on the clock, in front of a crowd-
@RZ_fluorescence
used 2 UAFs in Edge and an integer overflow in the kernel to win $70,000 and 7 points towards Master of Pwn.
#Pwn2Own
A full analysis of the
#Microsoft
#Exchange
code execution bug released today (CVE-2018-8302) is now available. Includes a video demo of the exploit in action. Read the details at .
CVE-2019-5420, an RCE bug in Ruby on Rails - originally discovered by
@ooooooo_q
- receives the full write-up and PoC treatment from the Trend Micro Research team. Details and PoC at .
In a new guest blog,
@cogallag
describes the bug he used to exploit
#Oracle
#VirtualBox
at
#Pwn2Own
Vancouver. He gives an in-depth analysis of how he used a race condition to win $20,000 at the contest.
The first ever
#Pwn2Own
Automotive is in the books! We awarded $1,323,750 throughout the event and discovered 49 unique zero-days. A special congratulations to
@synacktiv
, the Masters of Pwn! Stay with us here and at the ZDI blog as we prepare for Pwn2Own Vancouver in March.
They did it. A successful demonstration by the
@fluoroacetate
duo on the Model 3 internet browser. Now off to the disclosure room for details and confirmation.
At
#Pwn2Own
Vancouver,
@_manfp
won $100K exploiting
#Firefox
. Now that these bugs are patched,
@hosselot
details the first part of this exploit in his most recent blog. Part 2 is to come.
That's a wrap on
#Pwn2Own
Toronto 2023! We awarded $1,038,250 for 58 unique 0-days during the event. Congratulations to Team Viettel (
@vcslab
) for winning Master of Pwn with $180K and 30 points. We'll see you at Pwn2Own Automotive in Tokyo next January.
CVE-2021-20226:
@_wmliang_
details this
#Linux
privilege escalation via io_uring originally submitted by
@ga_ryo_
. The bug leads to a UAF on any file structure, which can be leveraged for LPE in the kernel.
Wow.
@bkth_
and
@_niklasb
did it. They successfully demonstrated their exploit against
#Chrome
AND
#Edge
. Both browsers allowed code exec when hitting their website. They head to the disclosure room to drop the details.
#Pwn2Own
Two different RCE bugs in
#IBM
#WebSphere
are detailed by
@zebasquared
in his latest blog. Read the root cause and see video demos of CVE-2020-4464 and -4448 at
Confirmed! OV used a pair of bugs to compromise
#Microsoft
#Teams
and get code execution. He wins $200,000 and 20 points towards Master of Pwn.
#Pwn2Own
#P2O
Confirmed! The DEVCORE team leveraged an integer underflow to gain code execution on the
#Sonos
One speaker. This unique bug chain earns them $60,000 and 6 points towards Master of Pwn.
#Pwn2Own
#P2OAustin
Miss
@chudyPB
's talk on .NET deserialization bugs during
@hexacon_fr
? You can check out his full white paper at:
And be sure to catch his exploit videos for
#Exchange
() and
#SolarWinds
()
Boom! It takes
@abdhariri
less than 15 seconds to kick off
#Pwn2Own
Vancouver with a successful exploit of
#Adobe
Reader on macOS. He's off to the disclosure room to discuss the details of his research.
CVE-2019-12527: Code Execution on Squid Proxy Through a Heap Buffer Overflow - the Trend Micro Research team provides details about this recently patched vuln.
In a new guest blog,
@kkokkokye
describes how CVE-2021-26900 can be used to escalate privileges on
#Windows
through win32k. His write-up includes root cause, patch analysis, and PoC. Read the details at
CVE-2020-1300 - Remote code execution via
#Windows
CAB files. Our colleagues from Trend Micro Research bring all the details about this recently patched bug. Read them at
At
#Pwn2Own
Vancouver,
@hi_im_d4rkn3ss
of
@starlabs_sg
used 2 bugs to exploit
#VMware
Workstation. CVE-2023-20869/20870 are now patched, so he provides details of the uninitialized variable & stack-based overflow bugs he used to win $80K. Read the blog at
A successful
#VMware
#ESXi
demo at
#Pwn2Own
is worth $150K.
@_wmliang_
had 2 unauth RCEs in ESXi patched last week. Not only does he break down the details in his latest blog, he went further & wrote a full code execution exploit for one of the bugs.
Success! Samuel Groß (
@5aelo
) manages to pop calc and brings back his trademark touchbar finesse. Now off to the disclosure room for confirmation and vendor notification.
Analyzing a trio of RCE bugs in
#Intel
wireless drivers -
@trendytofu
looks at CVE-2020-0558 and provides details on the root causes. He also includes PoC for you to test your adapters. Details at
Confirmed! Axel '0vercl0k' Souchet of used a double free bug to execute his code on Iconics Genesis64. He wins $20,000 and 20 Master of Pwn points.
#Pwn2Own
#P2O
CVE-2022-23088: A new guest blog from
@m00nbsd
describes a 13-yr-old heap overflow in the Wi-Fi stack that allows network-adjacent attackers to execute code on affected installations of FreeBSD Kernel. Includes root cause & PoC. Read the details at
Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend -
@chudyPB
provides the details of CVE-2022-41040 and -41082. These were the
#Exchange
bugs used in active attacks and recently patched.
Confirmed! Jack Dates from RET2 Systems used an integer overflow in Safari and an OOB Write to get kernel code execution. He wins $100K plus 10 Master of Pwn points to start the contest off right!
In a new guest blog,
@_manfp
describes CVE-2020-8835, the bug he used to escalate privileges on
#Ubuntu
and win $30K at the most recent
#Pwn2Own
. Read the details at
It's a partial win. Despite the great demonstration (with ASCII art), the bug used by
@alisaesage
had been reported prior to the contest. It's still great work, & we're thrilled she broke ground as the 1st woman to participate as an independent researcher in
#Pwn2Own
history.
Confirmed!
@4nhdaden
used an integer underflow in the
#Oracle
VirtualBox client to pop calc at medium integrity on the host OS. He earned himself $35,000 USD and 3 Master of Pwn points.
CVE-2022-26381:
@hosselot
details triggering a
#UAF
bug in
#Mozilla
#Firefox
. His write-up includes PoC, root cause, and a look at the fix. Read the details at
Announcing
#Pwn2Own
Toronto 2022! Phones, Routers, Automation Hubs, Smart Speakers, & NAS devices all return as targets. And introducing the SOHO Smashup! More than $1,000,000 in prizes available. Read all the details at
#P2OToronto
Is exploiting a null pointer deref for LPE just a pipe dream?
@izobashi
shows the process discovering a couple of
#Bitdefender
AV bugs (CVE-2021-4198/CVE-2021-4199). The exploit leads to LPE by exploiting a link following issue.
In his first blog for us,
@zebasquared
details a recently patched deserialization bug that could lead to RCE in the
#Oracle
#WebLogic
server. Read all the details at
That concludes Day 2 of
#P2OVancouver
– we awarded $475,000 for 10 unique zero-days today, bringing the total awarded to $850,000! Stay tuned tomorrow for the final day of the competition.
#Pwn2Own
With all of the points totaled,
@starlabs_sg
has been crowned Master of Pwn for
#Pwn2Own
Vancouver 2022! They wan $270,000 and 27 points during the contest.
Not only did
@SinSinology
Rick Roll the Ubiquity charger, he turned on the camera, which is normally disabled by the manufacturer. He’s off to the disclosure room to provide all the details.
In a new guest blog, Marcin Wiązowski details CVE-2023-21822 – a Use-After-Free in win32kfull that could lead to an LPE. He provides root cause, looks at how it could be exploited, and reviews the patch from
#Microsoft
. Read all the details at
Success! To kick things off for
#Pwn2Own
2022 Day 2 in style, David BERARD and Vincent DEHORS from
@Synacktiv
demonstrated code execution on the
@Tesla
infotainment system resulting in a arbitrary file write and a switch unlock.
#P2O15
Confirmed! The DEVCORE team of
@orange_8361
,
@scwuaptx
and
@mehqq_
used an elegant heap overflow to get code execution on the
#Synology
NAS during their 2nd attempt. They earn themselves $20,000 and 2 Master of Pwn points.