On the primary day of Pwn2Own Eire, contributors demonstrated 52 zero-day vulnerabilities throughout a variety of gadgets, incomes a complete of $486,250 in money prizes.
Viettel Cyber Safety took an early lead getting 13 factors of their chase for the “Grasp of Pwn” title. The workforce’s phudq and namnp exploited a Lorex 2K WiFi digital camera by means of a stack-based buffer overflow vulnerability and bought $30,000 and three factors.
Sina Kheirkhah from Summoning Workforce stole the present with a series of 9 vulnerabilities to go from QNAP QHora-322 router to TrueNAS Mini X gadget, which introduced a $100,000 payout and 10 Grasp of Pwn factors.
RET2 Methods’ Jack Dates adopted with a profitable out-of-bounds (OOB) write exploit on the Sonos Period 300 sensible speaker, securing $60,000 and 6 factors. His exploit allowed full management over the gadget.
A second Viettel Cyber Safety try mixed 4 new bugs to pivot from the QNAP QHora-322 router to the TrueNAS Mini X, incomes them one other $50,000 and 10 factors.
Different notable makes an attempt from Pwn2Own day one embody:
- Workforce Neodyme leveraged a stack-based buffer overflow to focus on the HP Colour LaserJet Professional MFP 3301fdw printer. Their success was rewarded with $20,000 and a pair of factors.
- PHP Hooligans / Midnight Blue earned $20,000 for exploiting a Canon imageCLASS MF656Cdw printer utilizing a single bug.
- ExLuck of ANHTUD joined the leaderboard with 4 new bugs, together with improper certificates verification and a hardcoded cryptographic key, to use the QNAP TS-464 NAS gadget. This effort earned $40,000 and 4 Grasp of Pwn factors.
- On the surveillance entrance, Rapid7’s Ryan Emmons and Stephen Fewer efficiently exploited the Synology DiskStation DS1823xs+ through an improper neutralization of argument delimiters bug, incomes $40,000 and 4 factors.
The primary day wasn’t with out challenges and partial failures although. Summoning Workforce struggled to execute their QNAP TS-464 and Synology BeeStation BST150-4T exploits in time, whereas Synacktiv skilled a bug collision of their Lorex 2K digital camera exploit, incomes a lowered payout of $11,250.
Regardless of just a few setbacks, the first day of Pwn2Own Eire 2024 was filled with high-stakes hacks and matching rewards.
There are three extra days left within the competitors and contributors will attempt to exploit safety points present in absolutely patched SOHO gadgets, together with printers, NAS methods, WiFi cameras, routers, sensible audio system, cellphones (Samsung Galaxy S24), for a portion of the $1 million pool prize.