Pwn2Own

On the third and last day of the 2022 Pwn2Own Vancouver hacking contest, security researchers successfully hacked Microsoft’s Windows 11 operating system three more times using zero-day exploits.

The first attempt of the day targeting Microsoft Teams failed after Team DoubleDragon could not demo their exploit within the allotted time.

All other contestants hacked their targets, earning $160,000 after taking down Windows 11 three times and Ubuntu Desktop once.

The first to demonstrate a Windows 11 escalation of privilege zero-day (via Integer Overflow) on the third day of Pwn2Own was nghiadt12 from Viettel Cyber Security.

Bruno Pujos from REverse Tactics and vinhthp1712 also escalated privileges on Windows 11 using Use-After-Free and Improper Access Control vulnerabilities, respectively.

Last but not least, STAR Labs’ Billy Jheng Bing-Jhong hacked a system running Ubuntu Desktop using a Use-After-Free exploit.

Windows 11 EOP via Integer Overflow
Windows 11 EOP via Integer Overflow demoed by nghiadt12 (ZDI)

Pwn2Own 2022 Vancouver ended with 17 competitors earning a total of $1,155,000 for zero-day exploits and exploits chains demoed over three days after 21 attempts, between May 18 and May 20.

On the first day of Pwn2Own, hackers won $800,000 after successfully exploiting 16 zero-day bugs to hack multiple products, including Microsoft’s Windows 11 operating system and the Teams communication platform, Ubuntu Desktop, Apple Safari, Oracle Virtualbox, and Mozilla Firefox.

On second day, contestants earned $195,000 after demoing flaws in the Telsa Model 3 Infotainment System, Ubuntu Desktop, and Microsoft Windows 11.

Security researchers demonstrated six Windows 11 exploits during the contest, hacked Ubuntu Desktop four times, and demoed three Microsoft Teams zero-days. They also reported several flaws in Apple Safari, Oracle Virtualbox, and Mozilla Firefox.

After vulnerabilities are exploited and reported during Pwn2Own, vendors have 90 days to release security fixes until Trend Micro’s Zero Day Initiative publicly discloses them.

In April, hackers also earned $400,000 for 26 zero-day exploits targeting ICS and SCADA products demoed during the 2022 Pwn2Own Miami contest between April 19 and April 21.

Source: www.bleepingcomputer.com