Windows 11 Hacked Again at Pwn2Own, Telsa Model 3 also Falls
During the second day of the Pwn2Own Vancouver 2022 hacking competition, contestants hacked Microsoft’s Windows 11 OS again and demoed zero-days in Tesla Model 3’s infotainment system.
The first demonstration of the day came from the @Synacktiv team, who successfully demoed two unique bugs (Double-Free & OOBW) and a sandbox escape collision while targeting the Tesla Model 3 infotainment system, earning $75,000 for their efforts.
@Jedar_LZ also failed to demo a zero-day exploit against Tesla’s car. Although the bug wasn’t exploited within the allotted time, Trend Micro’s Zero Day Initiative (ZDI) acquired the exploit details and disclosed them to Tesla.
A third Windows 11 elevation of privileges zero-day caused by an improper access control bug was demoed on the second day by T0, with namnp failing to demonstrate a second Windows 11 privilege escalation zero-day within the time allotted.
Two more local privilege escalation vulnerabilities in Windows 11 were successfully demoed by the STAR Labs team and Marcin Wiązowski during the first round of the Pwn2Own contest.
Ubuntu Desktop was also hacked twice, with Bien Pham (@bienpnn) and Team TUTELARY from Northwestern University escalating privileges using two Use After Free bugs and earning $40,000 each.
On the first day of Pwn2Own, hackers won $800,000 after successfully exploiting 16 zero-day bugs to hack multiple products, including Microsoft’s Windows 11 operating system and the Teams communication platform, Ubuntu Desktop, Apple Safari, Oracle Virtualbox, and Mozilla Firefox.
On the third day of the contest, Pwn2Own competitors will attempt to exploit more zero-days in Windows 11, Microsoft Teams, and Ubuntu Desktop.
Vendors have 90 days to develop and release security fixes for all reported flaws after demoed security vulnerabilities are disclosed during Pwn2Own.
Security researchers will target products in multiple product categories between May 18 and May 20 at Pwn2Own Vancouver 2022, including web browsers, virtualization, local escalation of privilege, servers, enterprise communications, and automotive.
They can earn more than $1,000,000 in cash and prizes throughout the three days of the contest after successfully exploiting previously unknown bugs.