Table of Contents
- Updated on 2022-12-12: Pwn2Own Toronto 2022 results
- Updated on 2022-12-01: Pwn2Own ICS hacking contest
- Updated on May 2022: Canon bugs at Pwn2Own
- Updated on April 2021: Critical Zoom Flaw Allows Remote Code Executions with No User Interaction
- Overview: Major Browser and OS Hacked During Pwn2Own Hacking Competition 2015
Updated on 2022-12-12: Pwn2Own Toronto 2022 results
The fall edition of the Pwn2Own hacking contest has ended. The contest is focused on the hacking of routers, smartphones, printers, and other smart devices, and this year it was won by DEVCORE, a Chinese pen-testing company. The contest took place across four days. Results for each are here [1, 2, 3, 4], and the final standing is embedded below. DEVCORE won the contest with successful exploits for Sonos One smart speakers, Mikrotik routers, and Canon, HP, and Lexmark printers. Read more:
- PWN2OWN TORONTO 2022 – DAY ONE RESULTS
- PWN2OWN TORONTO 2022 – DAY TWO RESULTS
- PWN2OWN TORONTO 2022 – DAY THREE RESULTS
- PWN2OWN TORONTO 2022 – DAY FOUR RESULTS AND MASTER OF PWN
Updated on 2022-12-01: Pwn2Own ICS hacking contest
ZDI has published the rules and targets for its Pwn2Own hacking contest that will take place in Miami in mid-February. This is the Pwn2Own contest that’s dedicated to hacking ICS gear. For this edition, the target list includes equipment from the likes of Prosys, PTC, Triangle Microworks, Softing, AVEVA, and Inductive Automation. Read more: PWN2OWN RETURNS TO MIAMI BEACH FOR 2023
Updated on May 2022: Canon bugs at Pwn2Own
The Synactiv team have published their write-up on the vulnerabilities in Canon laser printers they exploited during the Pwn2Own hacking contest last year. The teams also exploited issues in HP and Lexmark printers too, but those write-ups have not yet been published.
Updated on April 2021: Critical Zoom Flaw Allows Remote Code Executions with No User Interaction
Two security researchers from the Netherlands demonstrated an exploit of flaws in the Zoom desktop client that allowed them to take control of a user’s computer. The exploit chains together three vulnerabilities in Zoom to allow remote code execution with no user interaction. The exploit works on the Zoom desktop client for PCs and for Mac.
- The browser version of Zoom in not affected – a good work around until the patch is available. Good to see that Zoom was one of the sponsors of the Pwn2Own competition that found this one.
- This flaw was revealed and demonstrated during the Pwn2Own event. The vulnerabilities have been reported to Zoom, and no details were made public. The Pwn2Own events have been a great way for researchers to demonstrate their skills responsibly. While depressing to see pretty much every single target fall year after year, this event has been a great source of responsibly disclosed vulnerability details.
- The exploit leverages a weakness in the Zoom Chat product, not the in-session chat which is part of Zoom Meetings or Zoom Video Webinars. The attacker has to either be an accepted external contact or another organizational user. The best mitigation is to use the web client until a fix is released. Also make sure that you’re following best practices to secure online meetings and accept external contact requests only from people you know and trust.
- A rare exception to the rule that one should prefer purpose-built applications to browsers.
Read more in:
- Critical Zoom vulnerability triggers remote code execution without user input
- Huge Zoom flaw lets hackers completely take over your Mac or PC [updated]
Overview: Major Browser and OS Hacked During Pwn2Own Hacking Competition 2015
The Annual Pwn2Own Hacking Competition 2015 sponsored by HP’s Zero Day Initiative program held in Vancouver, Canada is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash.
The latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers.
Some highlights for Pwn2Own Hacking Competition 2015 as below:
- 5 bugs in the Windows operating system
- 4 bugs in Internet Explorer 11
- 3 bugs in Mozilla Firefox
- 3 bugs in Adobe Reader
- 3 bugs in Adobe Flash
- 2 bugs in Apple Safari
- 1 bug in Google Chrome
- $557,500 USD bounty paid out to researchers