Tesla, Microsoft Teams, others hacked at Pwn2Own 2023
On the second day of Pwn2Own Vancouver 2023, a group of security researchers exploited ten zero-day vulnerabilities in various products, earning $475,000 in total. The Tesla Model 3, Microsoft’s Teams communication platform, Oracle VirtualBox virtualization platform, and the Ubuntu Desktop operating system were among the targets of their attacks.
One of the day’s most notable accomplishments came from Synacktiv’s David Berard (@p0ly) and Vincent Dehors (@vdehors), who successfully executed an exploit against the Tesla Model 3 Infotainment Unconfined Root. They received $250,000 for demonstrating a series of zero-day exploits, including a heap overflow and an out-of-bounds write.
During the event, other successful hacks were also carried out by the security researchers. For instance, Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) of Synacktiv exploited a chain of three bugs to escalate privileges on an Oracle VirtualBox host and received a prize of $80,000.
Tanguy Dubroca (@SidewayRE) of Synacktiv was able to demonstrate an incorrect pointer scaling zero-day, resulting in privilege escalation on Ubuntu Desktop, and was awarded $30,000. Team Viettel (@vcslab) also earned $78,000 for hacking Microsoft Teams via a chain of two bugs and an additional $40,000 for exploiting Oracle’s VirtualBox using a use-after-free (UAF) bug and an uninitialized variable.
The Singapore-based STAR Labs claimed the second spot, while Team Viettel from Vietnam secured the third place. Qrious Secure and Abdul-Aziz Hariri from Saudi Arabia’s Haboob were placed fourth and fifth, respectively. Abdul-Aziz Hariri demonstrated his skills by successfully exploiting Adobe Reader on macOS in less than 15 seconds.
In addition to the aforementioned exploits, the participants of the competition also successfully hacked a fully patched Windows 11 desktop and demonstrated a chained attack against Oracle’s VirtualBox hypervisor with a host escalation of privileges, as well as a privilege escalation on Ubuntu Desktop.
On the first day of the competition, a group of hackers demonstrated 12 zero-day exploits in the Tesla Model 3, Windows 11, Microsoft SharePoint, Oracle VirtualBox, and macOS, earning a Tesla Model 3 and $100,000 in prize money. Synacktiv, the group responsible for hacking the Tesla Model 3, used a time-of-check time-of-use (TOCTOU) exploit to gain access to the vehicle. The details of how the hack was executed were not disclosed to prevent any potential security risks for Tesla owners.
Tesla was the target of the competition this year because, according to the organisers: “Tesla almost single-handedly invented the connected car industry. It knows more than most what’s required to keep one step ahead of the competition and the cybercrime community: rigorous testing and continuous probing for software bugs.”
Vendors have 90 days to patch zero-day vulnerabilities that are demoed and disclosed during Pwn2Own before Trend Micro’s Zero Day Initiative publicly publishes technical details.
The sources for this piece include an article in BleepingComputer.