The second day of Pwn2Own Ireland 2024 proved to be a riveting showcase of cybersecurity talent, where white hat hackers unearthed a staggering 51 zero-day vulnerabilities, collectively earning $358,625 in cash rewards. Pwn2Own is a prestigious annual hacking contest that challenges security researchers to exploit software and hardware vulnerabilities, vying for the title of “Master of Pwn” alongside a bounty of one million dollars in total prizes.
During this intense day of competition, the Viettel Cyber Security team emerged as a notable frontrunner in the pursuit of the coveted title, delivering remarkable performances across multiple categories. Leading the charge was Pham Tuan Son, alongside ExLuck from ANHTUD, who commenced the day with a successful exploit of a Canon imageCLASS MF656Cdw printer utilizing a stack-based buffer overflow. Their efforts secured a handsome reward of $10,000 and two Master of Pwn points.
However, the spotlight quickly shifted to some of the day’s more spectacular exploits. Ken Gannon from the NCC Group executed a complex chain of five vulnerabilities, which included a path traversal, against the latest Samsung Galaxy S24 smartphone. This attack not only earned him $50,000 but also netted five points towards the Master of Pwn title. Gannon’s successful exploit enabled him to install an unauthorized application on the device and gain shell access, highlighting significant security weaknesses in a device favored by millions.
In another standout performance, Dungdm from Viettel Cyber Security managed to seize control of the Sonos Era 300 smart speaker through a Use-After-Free (UAF) vulnerability. His successful manipulation of the device resulted in a windfall of $30,000 and six Master of Pwn points, accentuating the risks associated with smart home technology.
The breadth of vulnerabilities exploited during the event was impressive. Team Cluck’s duo, Chris Anastasio and Fabius Watson, chained together two vulnerabilities—including a critical CRLF injection—to compromise the QNAP TS-464 NAS, earning $20,000 and four points. Additionally, Corentin BAYET of Reverse Tactics secured $41,750 and 8.5 points targeting the QNAP QHora-322 router, despite one of his identified bugs being a repeat from earlier rounds.
Day 2 of Pwn2Own also witnessed several incidents of collision where multiple researchers attempted to exploit similar vulnerabilities on the same device. As a result, both Tenable and Synactiv encountered reduced payouts and points while attempting to hack the Lorex 2K and Synology BeeStation devices, respectively. Furthermore, competing teams such as DEVCORE, Rapid7, and Neodyme faced challenges executing their exploits within the strict timeframes, resulting in setbacks on devices like the Sonos Era 300 and Lexmark CX331adwe printer.
Despite these hurdles, the competition remains fierce as participants strive to ascend the rankings. With two full days still left in the event, researchers have already showcased a remarkable total of 103 zero-day vulnerabilities, comprising 52 vulnerabilities detected on the opening day. So far, the cumulative earnings for the participating teams have reached an impressive $847,875, setting the stage for an electrifying continuation of the competition.
As the cyber challenge unfolds, the stakes continue to rise for both participants and the brands behind the technology under scrutiny. The findings not only highlight significant flaws in some of the most widely used devices but also underscore the critical importance of continual vigilance in cybersecurity practices to protect against evolving threats in the digital landscape.
As the event progresses, experts and enthusiasts alike will be following closely to see which teams ultimately prevail in their quest for dominance in the cybersecurity arena.