本周在温哥华举行的为期三天的 Pwn2Own 2022 黑客大赛已落下帷幕。
The three-day Pwn2Own 2022 hackathon in Vancouver has come to an end this week.
Pwn2Own is the world's most famous hacker competition with the most lucrative prize money. It is hosted by the ZDI (Zero Day Initiative), a project team of TippingPoint's TippingPoint, a US Pentagon network security service provider. Find undiscovered vulnerabilities. Tech companies will support the competition and improve their products with hacking challenges.
During this competition, multiple vulnerabilities in Microsoft, Ubuntu, Apple, Oracle, and Tesla products were continuously discovered and exploited.
Ubuntu was taken down three times:
Sea Security (security.sea.com) The Orca team discovered two vulnerabilities in the Ubuntu desktop: Out-of-Bounds Write (OOBW) and Use-After-Free (UAF), resulting in a privilege escalation and a $40,000 bounty. This type of vulnerability is usually caused by poor application management of memory and is often used to attack and exploit browsers.
The TUTELARY team at Northwestern University also successfully demonstrated a Use After Free vulnerability for privilege escalation on the Ubuntu desktop, and won a $40,000 bounty.
STAR Labs security researcher Billy Jheng Bing-Jhong also successfully demonstrated a Use-After-Free-based exploit on the Ubuntu desktop on the third day of the competition and won a $40,000 prize.
In addition to Ubuntu, Tesla's vulnerabilities were also spotted by many hackers in this competition. David BERARD and Vincent DEHORS of Synacktiv earned $75,000 for 2 unique vulnerabilities (Double-Free & OOBW) found in Telsa Model 3 infotainment systems. While they didn't win the car outright, they made enough money to buy one themselves.
In addition, although @Jedar_LZ could not successfully attack Tesla within the specified time, the organizer also purchased the loopholes he found from the contestants and disclosed them to Tesla.
Of course, Microsoft's products are also "favored" by hackers, such as Teams and Windows 11 have been dug out a number of serious new vulnerabilities, Firefox, Safari and Virtual Box are not immune. These vendors have 90 days to fix all vulnerabilities disclosed by hackers during the competition.
Final ranking:
The organizers say they awarded a total of $1,155,000 for 25 unique zero-day exploits in this contest.
Pwn2Own 是全世界最著名、奖金最丰厚的黑客大赛,由美国五角大楼网络安全服务商、惠普旗下 TippingPoint 的项目组 ZDI(Zero Day Initiative)主办,参赛者面临的挑战是从广泛使用的软件和移动设备中找出未发现的漏洞。科技公司会对比赛提供支持,并通过黑客的攻击挑战来完善自身产品。
在此次大赛中,微软、Ubuntu、苹果、甲骨文和特斯拉产品的多个漏洞被持续发现并被利用。
Ubuntu 被拿下三次:
- Sea Security (security.sea.com) Orca 团队发掘了 Ubuntu 桌面的两个漏洞:越界写入 (OOBW) 和 Use-After-Free (UAF),从而进行了提权,获得 4 万美元奖金。这种类型的漏洞通常是由于应用程序管理内存不善而引起,通常被用来攻击和利用浏览器。
- 美国西北大学 TUTELARY 团队也成功演示了一个针对 Ubuntu 桌面进行提权的 Use After Free 漏洞,获得 4 万美元奖金。
- STAR Labs 安全研究员 Billy Jheng Bing-Jhong 比赛第三天也在 Ubuntu 桌面上成功演示了基于 Use-After-Free 的漏洞利用,并获得 4 万美元奖金。
除了 Ubuntu,特斯拉的漏洞在此次大赛中也被不少黑客看上了。Synacktiv 的 David BERARD 和 Vincent DEHORS 通过在 Telsa Model 3 信息娱乐系统中发现的 2 个独特漏洞 (Double-Free & OOBW),赚了 75,000 美元奖金。虽然他们没有直接赢得这辆车,但他们赚到的钱足够自己去买一辆。
此外,虽然 @Jedar_LZ 无法在规定时间内成功攻击特斯拉,但对于他发现的漏洞,主办方也从参赛者手中购买了回来,并披露给特斯拉。
当然,微软家的产品也备受黑客 “青睐”,诸如 Teams 和 Windows 11 都被挖出了多个严重的新漏洞,Firefox、Safari 和 Virtual Box 也不能幸免。这些厂商有 90 天的时间对比赛期间黑客披露的所有漏洞进行修复。
最终排名:
主办方称,他们在本次大赛中为 25 个独一无二的 0day 漏洞奖励了共计 1,155,000 美元奖金。
