Over $1 Million Awarded To Hackers In Pwn2Own Toronto

/in


Pwn2Own, the annual computer hacking contest that concluded in Toronto, Canada, on October 27, 2023, saw security researchers earning $1,038,500 for 58 unique zero-day exploits (and multiple bug collisions).

The four-day hacking event was held between October 24, 2023, and October 27, 2023, with prize money to be won over $1,000,000 USD and other forms of prizes available for contestants.

The hacking event had multiple categories for the security researchers to target in the competition, which included printers, surveillance systems, network-attached storage (NAS) devices, mobile phones, home automation hubs, smart speakers, and Google’s Pixel Watch and Chromecast devices.

The hacking contest saw the Samsung Galaxy S23 being successfully hacked four times by the teams of Pentest Ltd, STAR Labs SG, Interrupt Labs, and ToChim. While Pentest Ltd and Interrupt Labs were able to execute an Improper Input Validation against the Samsung Galaxy S23, STAR Labs SG and ToChim were able to exploit a permissive list of allowed inputs against the smartphone.

Further, the exploitation of Samsung Galaxy S23 earned the Pentest Ltd and Interrupt Labs teams a reward of $50,000 and $25,000, respectively, and 5 Master of Pwn points, while the STAR Labs SG and ToChim teams got $25,000 and 5 Master of Pwn points each for their exploits.

Other Highlights:

  • Chris Anastasio was able to exploit a bug in the TP-Link Omada Gigabit Router and another in the Lexmark CX331adwe for $100,000
  • Team Orca of Sea Security executed a 2-bug chain using an OOB Read and UAF against the Sonos Era 100 for $60,000
  • A DEVCORE Intern executed a stack overflow attack against the TP-Link Omada Gigabit Router and exploited two bugs in the QNAP TS-464 for $50,000
  • Team Viettel was able to execute a heap-based buffer overflow and a stack-based buffer overflow against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup for $50,000
  • Xiaomi, Western Digital, Synology, Canon, Lexmark, Sonos, TP-Link, QNAP, Wyze, Lexmark, and HP were all exploited during the competition

The overall Master of Pwn winner was Team Viettel, with 30 Master of Pwn points, winning $180,000. They were followed on the…

Source…