Microsoft Teams, Virtualbox, Tesla zero-days exploited at Pwn2Own

During the second day of Pwn2Own Vancouver 2023, competitors were awarded $475,000 after successfully exploiting 10 zero-days in multiple products.

The list of hacked targets included the Tesla Model 3, Microsoft's Teams communication platform, the Oracle VirtualBox virtualization platform, and the Ubuntu Desktop operating system.

The second day's highlight was a successful attempt from Synacktiv's David Berard (@_p0ly_) and Vincent Dehors (@vdehors) against the Tesla - Infotainment Unconfined Root.

This earned them $250,000 after successfully demonstrating a heap overflow and an OOB write zero-day exploit chain.

Synacktiv's Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) also exploited a three-bug chain to escalate privileges on an Oracle VirtualBox host to earn $80,000.

On a third attempt from Synacktiv, Tanguy Dubroca (@SidewayRE) was awarded $30,000 for demoing an incorrect pointer scaling zero-day leading to privilege escalation on Ubuntu Desktop.

Team Viettel (@vcslab) hacked also Microsoft Teams via a 2-bug chain to earn $78,000 and Oracle's VirtualBox using a Use-After-Free (UAF) bug and an uninitialized variable for $40,000.

On the first day, Pwn2Own competitors were awarded $375,000 and a Tesla Model 3 after successfully demoing 12 zero-days in the Tesla Model 3, Windows 11, Microsoft SharePoint, Oracle VirtualBox, and macOS.

On the last day of the contest, security researchers will attempt to exploit zero-day bugs in Ubuntu Desktop, Microsoft Teams, Windows 11, and VMware Workstation.

Pwn2Own Vancouver 2023 contestants can earn $1,080,000 in cash and a Tesla Model 3 car (already won on first day) between March 22 and March 24.

​Researchers will target products from multiple categories during the contest, including enterprise applications, enterprise communications, servers, virtualization, automotive, and local escalation of privilege (EoP).

That concludes Day 2 of #P2OVancouver – we awarded $475,000 for 10 unique zero-days today, bringing the total awarded to $850,000! Stay tuned tomorrow for the final day of the competition. #Pwn2Own pic.twitter.com/EtMnP4Ree5

— Zero Day Initiative (@thezdi) March 23, 2023

"This year’s event promises some exciting research as we have 19 entries targeting nine different targets - including two Tesla attempts," ZDI said.

"For this year’s event, every round will pay full price, which means if all exploits succeed, we’ll award over $1,000,000 USD."

Vendors have to patch zero-day vulnerabilities demoed and disclosed during Pwn2Own within 90 days before Trend Micro's Zero Day Initiative publicly publishes technical details.

At Pwn2Own Vancouver 2022, security researchers earned $1,155,000 after hacking the Tesla Model 3 Infotainment System, taking down Windows 11 six times, demonstrating three Microsoft Teams zero-days, and exploiting Ubuntu Desktop four times.