Hackers Exploited Ubuntu, Adobe Reader, Sharepoint, Tesla ECU & Oracle VM
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
This year’s Pwn2Own Vancouver 2024 event is expected to be the largest in Vancouver history, both in terms of entries and potential rewards.
The event’s victors will receive over $1,300,000 in cash and prizes, which include a Tesla Model 3.
The results of Pwn2Own Vancouver 2024’s first day have been released, and the hackers particularly hacked Oracle VM, Adobe Reader, Microsoft Sharepoint, Tesla ECU, and Ubuntu.
As of the end of Day 1, the winners have received $732,500 USD for 19 distinct 0 days.
That brings a close to the first day of #Pwn2Own Vancouver 2024. We awarded $732,500 for 19 unique 0-days. @Synacktiv currently leads in the hunt for Master of Pwn, but @_manfp is right behind them. Here are the full standings: pic.twitter.com/GbtDzbCFgO
— Zero Day Initiative (@thezdi) March 21, 2024
The Highlights Of Day 1
AbdulAziz Hariri of Haboob SA was able to launch the event by successfully executing their code execution attack against Adobe Reader.
He combined a Command Injection issue with an API Restriction Bypass. In addition to 5 Master of Pwn points, he receives $50,000.
Confirmed! @abdhariri used an API Restriction Bypass and a Command Injection bug to get code execution on #Adobe Reader. In doing so, he earns $50,000 and 5 Master of Pwn points. #Pwn2Own #P2OVancouver pic.twitter.com/OPdEkeLspc
— Zero Day Initiative (@thezdi) March 20, 2024
The LPE attack against Windows 11 was successfully carried out by the DEVCORE Research Team.
They merged a few bugs, one of which was a TOCTOU race condition that may be dangerous. Three Master of Pwn points and $30,000 are theirs.
With just one UAF bug, Seunghyun Lee (@0x10n) of the KAIST Hacking Lab was able to execute their exploit of the Google Chrome web browser. They get six Master of Pwn points and $60,000.
Confirmed! Seunghyun Lee (@0x10n) of KAIST Hacking Lab used a UAF to get code execution in the #Google Chrome renderer. He earns $60,000 and 6 Master of Pwn points. #Pwn2Own pic.twitter.com/yIqPLXO9sv
— Zero Day Initiative (@thezdi) March 20, 2024
Combining a heap-based buffer overflow, a UAF, and an uninitialized variable flaw, Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) from Theori (@theori_io) were able to escape VMware Workstation and run code as SYSTEM on the host Windows OS.
They receive $130,000 and 13 Master of Pwn points for their outstanding achievement.
Confirmed! Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) from Theori (@theori_io) combined three different bugs to escape #VMware Workstation and then execute code as SYSTEM on the host OS. This impressive feat earns them $130,000 and 13 Master of Pwn points. #Pwn2Own pic.twitter.com/JkVgORdcck
— Zero Day Initiative (@thezdi) March 20, 2024
Two Oracle VirtualBox issues, including a buffer overflow, were combined with a Windows UAF by Bruno PUJOS and Corentin BAYET from REverse Tactics (@Reverse_Tactics) to enable the guest OS to escape and run code as SYSTEM on the host OS.
They receive $90,000 and nine Master of Pwn points for this outstanding research.
The Synacktiv (@synacktiv) team exploited the Tesla ECU with Vehicle (VEH) CAN BUS Control by using a single integer overflow.
The winners receive a new Tesla Model 3 (their second!), $200,000, and 20 Master of Pwn points.
Confirmed!!! The @Synacktiv team used a single integer overflow to exploit the #Tesla ECU with Vehicle (VEH) CAN BUS Control. The win $200,000, 20 Master of Pwn points, and a new Tesla Model 3 (their second!). Awesome work as always. #Pwn2Own #P2OVancouver pic.twitter.com/FcB4fTiOa7
— Zero Day Initiative (@thezdi) March 20, 2024
Manfred Paul (@_manfp) leverages a PAC bypass exploiting an Apple Safari vulnerability to obtain RCE on the browser via an integer underflow flaw.
He gains six Master of Pwn points and $60,000 for himself.
Oracle VirtualBox was exploited by Dungdm (@_piers2) of Viettel Cyber Security using two bugs, including the always dangerous race condition.
They get four Master of Pwn points and $20,000 as the round three winners.
That concludes Pwn2Own Vancouver 2024’s first day. Let’s see if Manfred Paul can catch up to Synacktive or if they can maintain their Master of Pwn lead.
Follow this link to view this highly competitive contest’s detailed itinerary. Additionally, you can find a comprehensive overview of the Pwn2Own Vancouver2024 Day 1 results here.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onLinkedIn&Twitter.
#Cyber_Security_News #Hacks #Vulnerability #cyber_security_news #Hackers_Exploit #zero-day
Оригинальная версия на сайте:
Hackers Exploited Ubuntu, Adobe Reader, Sharepoint, Tesla ECU & Oracle VM
Author: Guru BaranThis year’s Pwn2Own Vancouver 2024 event is expected to be the largest in Vancouver history, both in terms of entries and potential rewards.
The event’s victors will receive over $1,300,000 in cash and prizes, which include a Tesla Model 3.
The results of Pwn2Own Vancouver 2024’s first day have been released, and the hackers particularly hacked Oracle VM, Adobe Reader, Microsoft Sharepoint, Tesla ECU, and Ubuntu.
As of the end of Day 1, the winners have received $732,500 USD for 19 distinct 0 days.
That brings a close to the first day of #Pwn2Own Vancouver 2024. We awarded $732,500 for 19 unique 0-days. @Synacktiv currently leads in the hunt for Master of Pwn, but @_manfp is right behind them. Here are the full standings: pic.twitter.com/GbtDzbCFgO
— Zero Day Initiative (@thezdi) March 21, 2024
The Highlights Of Day 1
AbdulAziz Hariri of Haboob SA was able to launch the event by successfully executing their code execution attack against Adobe Reader.
He combined a Command Injection issue with an API Restriction Bypass. In addition to 5 Master of Pwn points, he receives $50,000.
Confirmed! @abdhariri used an API Restriction Bypass and a Command Injection bug to get code execution on #Adobe Reader. In doing so, he earns $50,000 and 5 Master of Pwn points. #Pwn2Own #P2OVancouver pic.twitter.com/OPdEkeLspc
— Zero Day Initiative (@thezdi) March 20, 2024
The LPE attack against Windows 11 was successfully carried out by the DEVCORE Research Team.
They merged a few bugs, one of which was a TOCTOU race condition that may be dangerous. Three Master of Pwn points and $30,000 are theirs.
With just one UAF bug, Seunghyun Lee (@0x10n) of the KAIST Hacking Lab was able to execute their exploit of the Google Chrome web browser. They get six Master of Pwn points and $60,000.
Confirmed! Seunghyun Lee (@0x10n) of KAIST Hacking Lab used a UAF to get code execution in the #Google Chrome renderer. He earns $60,000 and 6 Master of Pwn points. #Pwn2Own pic.twitter.com/yIqPLXO9sv
— Zero Day Initiative (@thezdi) March 20, 2024
Combining a heap-based buffer overflow, a UAF, and an uninitialized variable flaw, Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) from Theori (@theori_io) were able to escape VMware Workstation and run code as SYSTEM on the host Windows OS.
They receive $130,000 and 13 Master of Pwn points for their outstanding achievement.
Confirmed! Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) from Theori (@theori_io) combined three different bugs to escape #VMware Workstation and then execute code as SYSTEM on the host OS. This impressive feat earns them $130,000 and 13 Master of Pwn points. #Pwn2Own pic.twitter.com/JkVgORdcck
— Zero Day Initiative (@thezdi) March 20, 2024
Two Oracle VirtualBox issues, including a buffer overflow, were combined with a Windows UAF by Bruno PUJOS and Corentin BAYET from REverse Tactics (@Reverse_Tactics) to enable the guest OS to escape and run code as SYSTEM on the host OS.
They receive $90,000 and nine Master of Pwn points for this outstanding research.
The Synacktiv (@synacktiv) team exploited the Tesla ECU with Vehicle (VEH) CAN BUS Control by using a single integer overflow.
The winners receive a new Tesla Model 3 (their second!), $200,000, and 20 Master of Pwn points.
Confirmed!!! The @Synacktiv team used a single integer overflow to exploit the #Tesla ECU with Vehicle (VEH) CAN BUS Control. The win $200,000, 20 Master of Pwn points, and a new Tesla Model 3 (their second!). Awesome work as always. #Pwn2Own #P2OVancouver pic.twitter.com/FcB4fTiOa7
— Zero Day Initiative (@thezdi) March 20, 2024
Manfred Paul (@_manfp) leverages a PAC bypass exploiting an Apple Safari vulnerability to obtain RCE on the browser via an integer underflow flaw.
He gains six Master of Pwn points and $60,000 for himself.
Oracle VirtualBox was exploited by Dungdm (@_piers2) of Viettel Cyber Security using two bugs, including the always dangerous race condition.
They get four Master of Pwn points and $20,000 as the round three winners.
That concludes Pwn2Own Vancouver 2024’s first day. Let’s see if Manfred Paul can catch up to Synacktive or if they can maintain their Master of Pwn lead.
Follow this link to view this highly competitive contest’s detailed itinerary. Additionally, you can find a comprehensive overview of the Pwn2Own Vancouver2024 Day 1 results here.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us onLinkedIn&Twitter.
#Cyber_Security_News #Hacks #Vulnerability #cyber_security_news #Hackers_Exploit #zero-day
Оригинальная версия на сайте:
