Pwn2Own Vancouver 2024 - Day One Results

Pwn2Own Vancouver 2024 kicked off with two days of research, focusing on vulnerabilities in browsers, SharePoint, and Tesla. The first day saw a total of $732,500 awarded for 19 unique zero-day exploits. AbdulAziz Hariri successfully exploited Adobe Reader with a combination of API Restriction Bypass and Command Injection, earning $50,000. The DEVCORE Research Team achieved Local Privilege Escalation (LPE) on Windows 11 through a TOCTOU race condition, claiming $30,000. Seunghyun Lee from KAIST Hacking Lab exploited Google Chrome with a single Use-After-Free (UAF) bug, earning $60,000. Gwangun Jung and Junoh Lee from Theori combined multiple vulnerabilities to escape VMware Workstation and execute code on the host Windows OS, winning $130,000. The DEVCORE Team also successfully exploited Ubuntu Linux, earning $10,000 despite the bug being previously known. Bruno PUJOS and Corentin BAYET from REverse Tactics escaped Oracle VirtualBox's guest OS and achieved code execution on the host OS, earning $90,000. Synacktiv exploited Tesla's ECU with a single integer overflow, winning $200,000, a Tesla Model 3, and 20 Master of Pwn points. Kyle Zeng from ASU SEFCOM escalated privileges on Ubuntu Linux using a race condition, claiming $20,000. Cody Gallagher exploited Oracle VirtualBox with an Out-of-Bounds Write bug, winning $20,000. Manfred Paul successfully exploited Apple Safari with an integer underflow and PAC bypass, earning $60,000. Dungdm from Viettel Cyber Security exploited Oracle VirtualBox using a race condition, winning $20,000. Manfred Paul also executed a double-tap exploit on Chrome and Edge browsers, earning $42,500. The competition continues tomorrow, with Synacktiv holding the lead in the Master of Pwn standings.