The results of two days of the Pwn2Own 2024 competition, held annually as part of the CanSecWest conference in Vancouver, have been summed up. Working techniques for exploiting previously unknown vulnerabilities have been developed for Ubuntu Desktop, Windows 11, Docker, Oracle VirtualBox, VMWare Workstation, Adobe Reader, Firefox, Chrome, Edge and Tesla. A total of 23 successful attacks were demonstrated, exploiting 29 previously unknown vulnerabilities.
The attacks used the latest stable releases of applications, browsers and operating systems with all available updates and default configurations. The total amount of remuneration paid was USD 1,132,500. For hacking Tesla, an additional Tesla Model 3 was awarded. The amount of rewards paid for the last three Pwn2Own competitions amounted to $3,494,750. The team with the most points received $202.
Performed attacks:
- Four successful attacks on Ubuntu Desktop, allowing an unprivileged user to gain root rights (one award of 20 thousand and 10 thousand dollars, two awards of 5 thousand dollars). The vulnerabilities are caused by race conditions and buffer overflows.
- An attack on Firefox that made it possible to bypass sandbox isolation and execute code in the system when opening a specially designed page (award of 100 thousand dollars). The vulnerability is caused by an error that allows data to be read and written to an area outside the boundary of the buffer allocated for a JavaScript object, as well as the possibility of substituting an event handler into a privileged JavaScript object. Hot on the heels, developers from Mozilla promptly published the Firefox 124.0.1 update, eliminating the identified problems.
- Four attacks on Chrome, which allowed code to be executed in the system when opening a specially designed page (one award of 85 and 60 thousand dollars each, two awards of 42.5 thousand). The vulnerabilities are caused by memory access after free, out-of-buffer reads, and incorrect input validation. The three exploits are universal and work not only in Chrome, but also in Edge.
- An attack on Apple Safari that allowed code to be executed in the system when opening a specially designed page (award of $60). The vulnerability is caused by an integer overflow.
- Four hacks of Oracle VirtualBox that allowed you to exit the guest system and execute code on the host side (one award of 90 thousand dollars and three awards of 20 thousand dollars). The attacks were carried out by exploiting vulnerabilities caused by buffer overflows, race conditions, and memory access after free.
- An attack on Docker that allowed you to escape from an isolated container (award of 60 thousand dollars). The vulnerability is caused by a memory access after free.
- Two attacks on VMWare Workstation that allowed logging out of the guest system and executing code on the host side. The attacks used a memory access after free, a buffer overflow, and an uninitialized variable (premiums of $30 and $130).
- Five attacks on Microsoft Windows 11 that allowed you to increase your privileges (three bonuses of 15 thousand dollars, and one bonus of 30 thousand and 7500 dollars each). The vulnerabilities were caused by race conditions, integer overflows, incorrect reference counting, and incorrect input validation.
- Code execution when processing content in Adobe Reader ($50 thousand award). The attack exploited a vulnerability that allowed bypassing API restrictions and a bug that allowed command substitution.
- An attack on the information system of a Tesla car, carried out through manipulation of the CAN BUS bus and allowing to achieve an integer overflow and gain access to the ECU (electronic control unit). The award amounted to 200 thousand dollars and a Tesla Model 3 car.
- Attempts to hack Microsoft SharePoint and VMware ESXi were unsuccessful.
Which components of the problem are not yet reported, in accordance with the terms of the competition, detailed information about all demonstrated 0-day vulnerabilities will be published only after 90 days, which are given for the preparation of updates by manufacturers to eliminate vulnerabilities.
Source: opennet.ru