The results of the three days of the Pwn2Own 2022 competition, held annually as part of the CanSecWest conference, have been summed up. Working techniques for exploiting previously unknown vulnerabilities have been demonstrated for Ubuntu Desktop, Virtualbox, Safari, Windows 11, Microsoft Teams, and Firefox. In total, 25 successful attacks were demonstrated, and three attempts ended in failure. The attacks used the latest stable releases of applications, browsers and operating systems with all available updates and in the default configuration. The total amount of remuneration paid was 1,155,000 US dollars.
The competition demonstrated five successful attempts to exploit previously unknown vulnerabilities in Ubuntu Desktop, undertaken by different teams of participants. One $40 award was given for demonstrating local privilege escalation in Ubuntu Desktop by exploiting two buffer overflow and double free problems. Four bonuses, worth $40 each, were paid for demonstrating privilege escalation by exploiting vulnerabilities related to memory access after it was freed (Use-After-Free).
Which components of the problem are not yet reported, in accordance with the terms of the competition, detailed information about all demonstrated 0-day vulnerabilities will be published only after 90 days, which are given for the preparation of updates by manufacturers to eliminate vulnerabilities.
Other successful attacks:
- 100 thousand dollars for the development of an exploit for Firefox, which allowed, when opening a specially designed page, bypass sandbox isolation and execute code in the system.
- $40 for demonstrating an exploit that exploits a buffer overflow in Oracle Virtualbox to log out of a guest.
- $50 for operating Apple Safari (buffer overflow).
- $450 for Microsoft Teams hacks (different teams demonstrated three hacks with a reward of $150 each).
- $80 (two $40 bonuses) to exploit buffer overflows and privilege escalation in Microsoft Windows 11.
- $80 (two $40 bonuses) to exploit a bug in the access check code to elevate your privileges in Microsoft Windows 11.
- $40k to exploit integer overflow to elevate your privileges in Microsoft Windows 11.
- $40 for exploiting a Use-After-Free vulnerability in Microsoft Windows 11.
- $75 for demonstrating an attack on the infotainment system of a Telsa Model 3 car. The exploit used buffer overflow and double free bugs, along with a previously known sandbox bypass technique.
Separate attempts have been made, but not successful, to hack Microsoft Windows 11 (6 successful hacks and 1 unsuccessful), Tesla (1 successful hack and 1 unsuccessful) and Microsoft Teams (3 successful hacks and 1 unsuccessful). There were no requests to demonstrate exploits in Google Chrome this year.
Source: opennet.ru