Pwn2Own Vancouver 2024 Wraps Up with Hackers Earning Over $1.1 Million and Exploiting 29 Zero-Day Vulnerabilities

New In Technology

The conclusion of Pwn2Own Vancouver 2024 saw security researchers collecting a total of $1,132,500 after demonstrating 29 zero-day vulnerabilities across various software and products. Held over two days, the competition targeted fully patched systems in categories including web browsers, cloud-native/container, virtualization, enterprise applications, servers, local escalation of privilege (EoP), enterprise communications, and automotive.

Among the notable exploits, Team Synacktiv secured a Tesla Model 3 and $200,000 on the first day by exploiting the Tesla ECU with Vehicle (VEH) CAN BUS Control in under 30 seconds using an integer overflow. Manfred Paul emerged as the overall winner of Pwn2Own Vancouver 2024, earning 25 Master of Pwn points and $202,500 throughout the competition. Paul's exploits included hacking Apple Safari, Google Chrome, and Microsoft Edge web browsers, utilizing zero-day vulnerabilities.

Additional successful attempts and bug collisions on both days included:

  • Windows 11 privilege escalation exploits from various teams such as HackInside, IBM X-Force, and individual researchers like Valentina Palmiotti, Marcin WiÄ…zowski, and Gabriel Kirkpatrick.
  • STAR Labs SG's VMware Workstation remote code execution (RCE) and Ubuntu Linux privilege escalation exploits, along with a Docker escape.
  • Palo Alto's team successfully hacking Chrome and Edge after defeating V8 hardening.
  • ColdEye's Oracle VirtualBox guest-to-host escape exploit.
  • KAIST Hacking Lab's Seunghyun Lee's double-tap Chrome and Edge RCE exploit.
  • Theori's privilege escalation exploit on Ubuntu Linux.

Throughout the event, contestants demonstrated their prowess by exploiting vulnerabilities in a variety of systems, including Windows 11, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and popular web browsers such as Apple Safari, Google Chrome, and Microsoft Edge.

Following the demonstration of zero-day vulnerabilities at Pwn2Own, vendors have 90 days to develop and release security patches before Trend Micro's Zero Day Initiative publicly discloses them.

Pwn2Own Vancouver 2024 showcased the ongoing challenge of securing modern systems against sophisticated cyber threats. With hackers continuing to find and exploit vulnerabilities, it underscores the importance of robust security measures and timely patching to mitigate the risk of cyberattacks.