Microsoft Teams, Virtualbox, and Tesla have all been exploited in Pwn2Own

During Day 2 of Pwn2Own Vancouver 2023, competitors were awarded $475,000 after successfully exploiting 10 days of zero across multiple products.

The hacked targets included the Tesla Model 3, Microsoft’s Teams communications platform, Oracle VirtualBox virtual platform, and the Ubuntu Desktop operating system.

The highlight of day two was a successful attempt from Synacktiv’s David Berard (@_p0ly_) and Vincent Dehors (@employee) against Tesla – the root of the uninhibited infotainment.

This earned them $250,000 and allowed them to obtain a Tesla Model 3 after hacking via the overflow stack and writing an OOB exploit string.

Thomas Imbert of Synacktiv (@employee) and Thomas Boozer (@employee) also successfully exploited a series of three privilege escalation errors on an Oracle VirtualBox host to earn $80,000.

On a third try from Synacktiv, Tanguy Dubroca (@employee) was awarded $30,000 for the demonstration of an incorrect zero-day benchmark resulting in privilege escalation on the Ubuntu desktop.

Vettel Team (@employee) also hacked Microsoft Teams via a Series 2 bug to earn $78,000 and Oracle’s VirtualBox with a use-after-free (UAF) bug and an uninitialized variable for $40,000.

On Day 1, Pwn2Own competitors were awarded $375,000 and a Tesla Model 3 car after successfully pitching 12 Zero Days in Tesla Model 3, Windows 11, Microsoft SharePoint, Oracle VirtualBox, and macOS.

On the final day of the competition, security researchers will attempt zero-day exploits in Ubuntu Desktop, Microsoft Teams, Windows 11, and VMware Workstation.

Pwn2Own Vancouver 2023 Contestants can win $1,080,000 in cash and two Tesla Model 3 cars between March 22nd and March 24th.

Researchers Products will be targeted from multiple categories during the competition, including Enterprise Applications, Enterprise Communications, Servers, Virtualization, Automotive, and Local Privilege (EoP) Escalation.

“This year’s event promises some exciting research as we have 19 entries targeting nine different targets – including two Tesla attempts,” ZDI said.

“For this year’s event, each round will pay full price, which means if all exploits are successful, we will award over $1,000,000 USD.”

Vendors must patch tested zero-day vulnerabilities and disclose them through Pwn2Own within 90 days before Trend Micro’s Zero Day Initiative releases technical details publicly.

At Pwn2Own Vancouver 2022, security researchers earned $1,155,000 after a Tesla Model 3 Infotainment System was hacked, crashing Windows 11 six times, showing three Microsoft Teams zero days, and exploiting Ubuntu Desktop four times.