Pwn2Own 2023, the annual hacking competition held in Vancouver as part of the Cansecwest conference, has demonstrated successful exploitation of previously unknown vulnerabilities in various operating systems and applications.
The competition, which spanned three days, showcased working techniques for operating vulnerabilities in Ubuntu Desktop, Apple MacOS, Oracle VirtualBox, VMware Workstation, Microsoft Windows 11, Microsoft Teams, Microsoft SharePoint, and even a Tesla car. A total of 27 successful attacks using previously unknown vulnerabilities were demonstrated on the latest stable versions of applications, browsers, and operating systems with all available updates and in their default configurations.
The successful attacks yielded a total of $1,035,000 in rewards, along with a Tesla Model 3 car. The team that scored the most points received $530,000 along with the car.
Specifically, five successful attempts were made to operate previously unknown vulnerabilities in Ubuntu Desktop by different teams of participants. The vulnerabilities were caused by double-free memory (rewarded with $30,000), an appeal to memory after exemption ($30,000), and incorrect work with signs ($30,000). Two demonstrations involved the use of already well-known but not yet corrected vulnerabilities (two bonuses of $15,000 each). An additional attempt to attack Ubuntu was made, but the exploit failed.
The conditions of the competition require detailed information about all demonstrated 0-day vulnerabilities to be published only after 90 days. This time is given to manufacturers of updates to prepare and eliminate the vulnerabilities.
Other successful attacks included three Oracle VirtualBox hacks, which used vulnerabilities caused by access to memory after release, overwhelming the buffer and reading from the region outside the buffer (two bonuses of $40,000 and one bonus of $80,000 for exploits of 3 vulnerabilities that allowed the code to execute on the host side). There was also an increased privilege attack on Apple MacOS ($40,000), two attacks on Microsoft Windows 11 that made it possible to increase privileges (prizes of $30,000), and an attack on Microsoft Teams using two errors in the exploit ($75,000).