Hackers earn $1,035,000 for 27 zero-days exploited at Pwn2Own Vancouver

Pwn2Own Vancouver 2023 has ended with contestants earning $1,035,000 and a Tesla Model 3 car for 27 zero-day (and several bug collisions) exploited between March 22 and 24.

During the , security researchers have targeted devices in the enterprise applications and communications, local escalation of privilege (EoP), virtualization, servers, and automotive categories, all up-to-date and in their default configuration.

The total prize pool for Pwn2Own Vancouver 2023 was over $1,000,000 in cash and a Tesla Model 3, which won.

The hackers successfully escalated privileges and gained code execution on fully patched systems after hacking Windows 11, Microsoft Teams, Microsoft SharePoint, macOS, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and, of course, the Tesla Model 3.

After the zero-day vulnerabilities are exploited and reported during Pwn2Own, vendors are given 90 days to release security fixes before TrendMicro’s Zero Day Initiative publicly discloses them.

Pwn2Own Vancouver 2023 rankings
Pwn2Own Vancouver 2023 final rankings (ZDI)

​Contest dominated by Team Synacktiv

Team Synacktiv won the competition with 53 Master of Pwn points and $530,000 earned in total throughout the three days of the contest.

, Synacktiv’s hackers were awarded $100,000 and a Tesla Model 3 after executing a TOCTOU (time-of-check to time-of-use) attack against the Tesla – Gateway in the Automotive category. They also exploited a TOCTOU zero-day bug to escalate privileges on Apple macOS and earn $40,000.

, Synacktiv members’ hacking exploits were also the highlight of the show, with a $250,000 award for David Berard () and Vincent Dehors () after demonstrating a heap overflow and an OOB write zero-day exploit chain against the Tesla – Infotainment Unconfined Root.

Synacktiv’s Thomas Imbert () and Thomas Bouzerar () also demoed a three-bug chain to escalate privileges on an Oracle VirtualBox host and earned $80,000, while Tanguy Dubroca () got a $30,000 award for an incorrect pointer scaling zero-day leading to privilege escalation on Ubuntu Desktop.

, Synacktiv’s Thomas Imbert () took down a fully-patched Windows 11 system to earn $30,000 for a Use-After-Free (UAF) zero-day.

[embedded content]

The also won $195,000 for zero-days in Microsoft SharePoint and VMWare Workstation and a Ubuntu Desktop collision, while was awarded $115,000 after hacking Microsoft Teams and Oracle VirtualBox.

At last year’s  hacking competition, in May 2022, researchers earned $1,155,000 and a car after hacking the Tesla Model 3 Infotainment System and taking down Windows 11, Ubuntu Desktop, Microsoft Teams, and more using multiple zero-day bugs and exploit chains.