On the second day of Pwn2Own Eire 2024, competing white hat hackers showcased a formidable 51 zero-day vulnerabilities, incomes a complete of $358,625 in money prizes.
Pwn2Own is a hacking contest the place safety researchers compete to use software program and cell {hardware} units to earn the coveted title of “Master of Pwn” and $1,000,000 in money and prizes.
On day 2 of Pwn2Own, the Viettel Cyber Security workforce maintained a robust lead within the race for the “Master of Pwn” title, with standout performances throughout a number of classes.
Pham Tuan Son and ExLuck from ANHTUD kicked off the day by exploiting a Canon imageCLASS MF656Cdw printer utilizing a stack-based buffer overflow, securing $10,000 and a pair of Grasp of Pwn factors.
Ken Gannon from NCC Group chained 5 bugs, together with a path traversal, to use the Samsung Galaxy S24, gaining a $50,000 payout and 5 factors. His exploit allowed him to put in an app and acquire shell entry to the favored Android machine.
Dungdm from Viettel Cyber Security took management of a Sonos Period 300 good speaker utilizing a Use-After-Free (UAF) vulnerability. His profitable exploit added $30,000 to his workforce’s earnings and 6 Grasp of Pwn factors.
Crew Cluck’s duo Chris Anastasio and Fabius Watson chained two vulnerabilities, together with a CRLF injection, to compromise the QNAP TS-464 NAS, incomes $20,000 and 4 factors within the course of.
Corentin BAYET of Reverse Techniques earned $41,750 and eight.5 factors regardless of one of many three bugs in his chain being a repeat from earlier rounds whereas focusing on the QNAP QHora-322 router.
Collisions and fails
Day 2 additionally had a number of collisions, which means the identical exploit was utilized by different researchers, in addition to unsuccessful makes an attempt to hack the units within the allotted time.
Tenable and Synactiv obtained lowered payouts and fewer factors as a consequence of collisions when hacking the Lorex 2K and Synology BeeStation units, respectively.
Additionally, DEVCORE, Rapid7, and Neodyme encountered difficulties in executing their exploits inside the cut-off dates, leading to a number of failed makes an attempt throughout units just like the Sonos Period 300 and Lexmark CX331adwe printer.
Regardless of the setbacks, the Pwn2Own competitors stays intense, solely having reached midway, with two days remaining for individuals to climb increased within the rankings.
At this level, researchers have exploited a complete of 103 zero-day vulnerabilities, 52 on day one, and earned $847,875 in prizes.
