from the what-was-briefly-yours-is-now-mine dept.
Windows 11, Tesla, Ubuntu, and macOS hacked at Pwn2Own 2023:
On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model 3.
The first to fall was Adobe Reader in the enterprise applications category after Haboob SA's Abdul Aziz Hariri (@abdhariri) used an exploit chain targeting a 6-bug logic chain abusing multiple failed patches which escaped the sandbox and bypassed a banned API list on macOS to earn $50,000.
The STAR Labs team (@starlabs_sg) demoed a zero-day exploit chain targeting Microsoft's SharePoint team collaboration platform that brought them a $100,000 reward and successfully hacked Ubuntu Desktop with a previously known exploit for $15,000.
Synacktiv (@Synacktiv) took home $100,000 and a Tesla Model 3 after successfully executing a TOCTOU (time-of-check to time-of-use) attack against the Tesla – Gateway in the Automotive category. They also used a TOCTOU zero-day vulnerability to escalate privileges on Apple macOS and earned $40,000.
Oracle VirtualBox was hacked using an OOB Read and a stacked-based buffer overflow exploit chain (worth $40,000).
Last but not least, Marcin Wiązowski elevated privileges on Windows 11 using an improper input validation zero-day that came with a $30,000 prize.
Throughout the Pwn2Own Vancouver 2023 contest, security researchers will target products in enterprise applications, enterprise communications, local escalation of privilege (EoP), server, virtualization, and automotive categories.
[...] After zero-day vulnerabilities are demoed and disclosed during Pwn2Own, vendors have 90 days to create and release security fixes for all reported flaws before Trend Micro's Zero Day Initiative publicly discloses them.
During last year's Vancouver Pwn2Own contest, security researchers earned $1,155,000 after hacking Windows 11 six times, Ubuntu Desktop four times, and successfully demonstrating three Microsoft Teams zero-days.
Previous:
Critical Zoom Vulnerability Triggers Remote Code Execution Without User Input
Work from Home Pwn2Own Hackers Make $130,000 in 48 Hours from Windows 10 Exploits
It's March 2018 and Your Windows PC Can Be Pwned By a Web Article
Related Stories
El Reg reports
The March edition of Patch Tuesday lands just hours before researchers are expected to flaunt their latest and greatest exploits at the CanSecWest Pwn2Own hacking competition in Vancouver.
Hopefully nobody was planning to use any of the 75 CVE-listed vulnerabilities Microsoft addressed today, including several for the Edge and Internet Explorer browsers that would allow remote code execution.
The fixed bugs include nine remote code execution (RCE) flaws in the Chakra scripting engine in Edge. Microsoft says the scripting bugs (such as CVE-2018-0874[1]) would allow an infected webpage to run code with the logged-in user's clearance level.
The Edge scripting engine was also the subject of four memory corruption RCE flaws, as well as an information disclosure bug, CVE-2018-0839[1], that allows an attack page to view objects in memory.
Just two of the 75 Microsoft bugs squashed this month have been publicly disclosed. They include an elevation of privilege bug in Exchange (CVE-2018-0940[1]) exploited via email. Dustin Childs of the Zero Day Initiative said that the bug is perfectly set up to facilitate a spear phishing attack.
[1] All content at portal.msrc.microsoft.com is behind scripts. Attempts to have archive.is run the scripts results in a EULA page.
Work From Home Hackers Make $130,000 In 48 Hours From Windows 10 Exploits:
Those of you who follow my reporting may already be familiar with Pwn2Own, a series of hacking events that test some of the most talented hackers across the world. These elite security researchers have been trying to exploit popular software, hardware and services since 2007 in exchange for the kudos. And money. Lots of money. In November 2019, during the Pwn2Own Tokyo event, a total of $315,000 (£270,300), including one hacking group which earned $80,000 (£68,500) for hacking the Samsung Galaxy S10. Twice. That hacking group was Team Fluoroacetate, Amat Cama and Richard Zhu, who ended up earning a total of $195,000 (£167,000) and the coveted "Master of Pwn" title by the time the event was over. It looked like these master hackers wouldn't be able to defend that title as coronavirus travel restrictions, and fear of infection, threatened to cancel the Pwn2Own 2020 event taking place at the CanSecWest cybersecurity conference in Vancouver, Canada.
They need not have worried, as the event went virtual for the first time. This involved the various hackers submitting exploits in advance to the Pwn2Own organizers, who then ran that code during a Zoom live stream involving all the participants. The Zero Day Initiative that runs the Pwn2Own event said: "The world right now is a tumultuous place full of uncertainty. It is communities, such as the security research community and the incident response community, that we can rely on during these trying times. We are so appreciative of all those who helped the event come together and succeed."
The work from home hackers from Team Fluoroacetate certainly succeeded, winning the Master of Pwn title once again, along with that $130,000 bounty. While the full details of how they exploited Windows 10 and Adobe Reader will not be made public for 90 days to allow the vendors to produce security patches, I can tell you what they did in broad terms.
For the curious, here is Wikipedia's entry on sodium fluoroacetate, a poisonous substance with no known antidote.
Critical Zoom Vulnerability Triggers Remote Code Execution Without User Input:
A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers.
Pwn2Own, organized by the Zero Day Initiative, is a contest for white-hat cybersecurity professionals and teams to compete in the discovery of bugs in popular software and services.
[...] For successful entrants, the financial rewards can be high -- and in this case, Daan Keuper and Thijs Alkemade earned themselves $200,000 for their Zoom discovery.
The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction.
[...] As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom, but it has not -- yet -- been tested on iOS or Android. The browser version of the videoconferencing software is not impacted.
In a statement to Tom's Guide, Zoom thanked the Computest researchers and said the company was "working to mitigate this issue with respect to Zoom Chat." In-session Zoom Meetings and Zoom Video Webinars are not affected.
"The attack must also originate from an accepted external contact or be a part of the target's same organizational account," Zoom added. "As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust."
[...] End-users just need to wait for a patch to be issued -- but if worried, they can use the browser version in the meantime.
