By Noah Stiles
Pwn2Own Toronto 2023 recently concluded, bringing forth a thrilling showcase of talent in the world of ethical hacking. The event witnessed hackers from around the globe going head to head, exploiting vulnerabilities in various devices and earning a grand total of $1,038,250 for their efforts. Let’s dive into the highlights of this exhilarating competition.
Team Viettel Triumphs as Master of Pwn Team Viettel, represented by @vcslab, emerged as the champions of this year’s Pwn2Own, securing the prestigious title of “Master of Pwn.” Their remarkable performance earned them a substantial $180,000 in prize money, along with 30 Master of Pwn points.
The Vulnerabilities Unveiled One of the unique aspects of Pwn2Own is the responsible disclosure of the vulnerabilities uncovered during the competition. After successfully exploiting these zero-day vulnerabilities, the participating teams diligently reported their findings to the respective vendors. To ensure users’ safety, vendors have been given a 90-day window to patch and address these vulnerabilities.
Standout Exploits Several noteworthy exploits took center stage during Pwn2Own Toronto 2023. Team Viettel demonstrated their prowess with a heap-based buffer overflow and a stack-based buffer overflow against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup. This exploit not only showcased their skill but also earned them a substantial $50,000 in prize money and 10 Master of Pwn points.
Claroty’s team executed an impressive four-bug chain against the TP-Link Omada Gigabit Router and Synology BC500 during the SOHO Smashup. This accomplishment earned them $40,750 and 8.25 Master of Pwn points. However, it’s important to note that one of the vulnerabilities they exploited, known as “BUG Collision,” was previously identified.
The STEALIEN group managed to perform a stack-based buffer overflow attack against the Wyze Cam v3, resulting in a root shell. Their efforts were rewarded with $15,000 and 3 Master of Pwn points, underscoring the significance of their achievement.
Rafal Goryl deserves special mention for demonstrating a two-bug chain to hack the Wyze Cam v3 and gain a root shell. This remarkable feat earned him $15,000 and 3 Master of Pwn points.
Conclusion Pwn2Own Toronto 2023 once again showcased the incredible talent and dedication of ethical hackers in identifying and exploiting vulnerabilities. The responsible disclosure of these vulnerabilities to vendors ensures that the security of devices and systems is enhanced, ultimately benefiting end-users. As we look to the future, it’s evident that events like Pwn2Own will continue to play a crucial role in advancing cybersecurity and protecting the digital landscape.