On the primary day of Pwn2Own Eire, individuals demonstrated 52 zero-day vulnerabilities throughout a variety of gadgets, incomes a complete of $486,250 in money prizes.
Viettel Cyber Security took an early lead getting 13 factors of their chase for the “Master of Pwn” title. The crew’s phudq and namnp exploited a Lorex 2K WiFi digital camera by a stack-based buffer overflow vulnerability and bought $30,000 and three factors.
Sina Kheirkhah from Summoning Group stole the present with a sequence of 9 vulnerabilities to go from QNAP QHora-322 router to TrueNAS Mini X system, which introduced a $100,000 payout and 10 Grasp of Pwn factors.
RET2 Methods’ Jack Dates adopted with a profitable out-of-bounds (OOB) write exploit on the Sonos Period 300 sensible speaker, securing $60,000 and 6 factors. His exploit allowed full management over the system.
A second Viettel Cyber Security try mixed 4 new bugs to pivot from the QNAP QHora-322 router to the TrueNAS Mini X, incomes them one other $50,000 and 10 factors.
Different notable makes an attempt from Pwn2Own day one embrace:
- Group Neodyme leveraged a stack-based buffer overflow to focus on the HP Coloration LaserJet Professional MFP 3301fdw printer. Their success was rewarded with $20,000 and a couple of factors.
- PHP Hooligans / Midnight Blue earned $20,000 for exploiting a Canon imageCLASS MF656Cdw printer utilizing a single bug.
- ExLuck of ANHTUD joined the leaderboard with 4 new bugs, together with improper certificates verification and a hardcoded cryptographic key, to use the QNAP TS-464 NAS system. This effort earned $40,000 and 4 Grasp of Pwn factors.
- On the surveillance entrance, Rapid7’s Ryan Emmons and Stephen Fewer efficiently exploited the Synology DiskStation DS1823xs+ by way of an improper neutralization of argument delimiters bug, incomes $40,000 and 4 factors.
The primary day wasn’t with out challenges and partial failures although. Summoning Group struggled to execute their QNAP TS-464 and Synology BeeStation BST150-4T exploits in time, whereas Synacktiv skilled a bug collision of their Lorex 2K digital camera exploit, incomes a decreased payout of $11,250.
Regardless of a number of setbacks, the first day of Pwn2Own Eire 2024 was filled with high-stakes hacks and matching rewards.
There are three extra days left within the competitors and individuals will attempt to exploit safety points present in absolutely patched SOHO gadgets, together with printers, NAS programs, WiFi cameras, routers, sensible audio system, cellphones (Samsung Galaxy S24), for a portion of the $1 million pool prize.