On the second day of Pwn2Own Eire 2024, competing white hat hackers showcased a formidable 51 zero-day vulnerabilities, incomes a complete of $358,625 in money prizes.
Pwn2Own is a hacking contest the place safety researchers compete to use software program and cellular {hardware} units to earn the coveted title of “Grasp of Pwn” and $1,000,000 in money and prizes.
On day 2 of Pwn2Own, the Viettel Cyber Safety group maintained a powerful lead within the race for the “Grasp of Pwn” title, with standout performances throughout a number of classes.
Pham Tuan Son and ExLuck from ANHTUD kicked off the day by exploiting a Canon imageCLASS MF656Cdw printer utilizing a stack-based buffer overflow, securing $10,000 and a pair of Grasp of Pwn factors.
Ken Gannon from NCC Group chained 5 bugs, together with a path traversal, to use the Samsung Galaxy S24, gaining a $50,000 payout and 5 factors. His exploit allowed him to put in an app and achieve shell entry to the favored Android gadget.
Dungdm from Viettel Cyber Safety took management of a Sonos Period 300 good speaker utilizing a Use-After-Free (UAF) vulnerability. His profitable exploit added $30,000 to his group’s earnings and 6 Grasp of Pwn factors.
Group Cluck’s duo Chris Anastasio and Fabius Watson chained two vulnerabilities, together with a CRLF injection, to compromise the QNAP TS-464 NAS, incomes $20,000 and 4 factors within the course of.
Corentin BAYET of Reverse Ways earned $41,750 and eight.5 factors regardless of one of many three bugs in his chain being a repeat from earlier rounds whereas concentrating on the QNAP QHora-322 router.
Collisions and fails
Day 2 additionally had a number of collisions, which means the identical exploit was utilized by different researchers, in addition to unsuccessful makes an attempt to hack the units within the allotted time.
Tenable and Synactiv obtained diminished payouts and fewer factors on account of collisions when hacking the Lorex 2K and Synology BeeStation units, respectively.
Additionally, DEVCORE, Rapid7, and Neodyme encountered difficulties in executing their exploits inside the deadlines, leading to a number of failed makes an attempt throughout units just like the Sonos Period 300 and Lexmark CX331adwe printer.
Regardless of the setbacks, the Pwn2Own competitors stays intense, solely having reached midway, with two days remaining for contributors to climb greater within the rankings.
At this level, researchers have exploited a complete of 103 zero-day vulnerabilities, 52 on day one, and earned $847,875 in prizes.