Ubuntu & Tesla hacked in Pwn2Own Vancouver 2022
The three-day Pwn2Own 2022 hackathon in Vancouver has come to an end this week. Pwn2Own is the world’s most famous hacker competition with the most lucrative prize money. It is hosted by the ZDI (Zero Day Initiative), a project team of TippingPoint, a US Pentagon network security service provider. The challenge for contestants is to identify undiscovered vulnerabilities in widely used software and mobile devices. Tech companies will support the competition and improve their products with hacking challenges.
During this competition, multiple vulnerabilities in Microsoft, Ubuntu, Apple, Oracle, and Tesla products were continuously discovered and exploited.
Ubuntu was taken down three times:
-
The Orca team at Sea Security (security.sea.com) discovered two vulnerabilities in the Ubuntu desktop: Out-of-Bounds Write (OOBW) and Use-After-Free (UAF), resulting in privilege escalation and a $40,000 bounty. This type of vulnerability is usually caused by poor application management of memory and is often used to attack and exploit browsers.
- The TUTELARY team at Northwestern University also successfully demonstrated a Use After Free vulnerability for privilege escalation on the Ubuntu desktop and won a $40,000 bounty.
-
STAR Labs security researcher Billy Jheng Bing-Jhong also successfully demonstrated a Use-After-Free-based exploit on the Ubuntu desktop on the third day of the competition and won a $40,000 prize.
In addition to Ubuntu, Tesla’s vulnerabilities were also spotted by many hackers in the Pwn2Own Vancouver 2022 competition. David BERARD and Vincent DEHORS of Synacktiv earned $75,000 for 2 unique vulnerabilities (Double-Free & OOBW) found in Telsa Model 3 infotainment systems. While they didn’t win the car outright, they made enough money to buy one themselves.
In addition, although @Jedar_LZ could not successfully attack Tesla within the specified time, the organizer also purchased the loopholes he found from the contestants and disclosed them to Tesla. Of course, Microsoft’s products are also “favored” by hackers, such as Teams and Windows 11 have serious new vulnerabilities, Firefox, Safari, and Virtual Box are not immune. These vendors have 90 days to fix all vulnerabilities disclosed by hackers during the competition.
The organizers say they awarded a total of $1,155,000 for 25 unique zero-day exploits in this contest.
