The three-day hacking event was held between March 22, 2023, and March 24, 2023, with prize money to be won in excess of $1,000,000 USD and two Tesla Model 3. “For this year’s event, every round will pay full price, which means if all exploits succeed, we’ll award over $1,000,000 USD,” said Zero Day Initiative (ZDI) in a blog post. The hacking event had multiple categories for the security researchers to target in the competition, which included automotive, enterprise applications, enterprise communications, servers, virtualization, and local escalation of privilege (EoP). The third and last day of the Pwn2Own hacking contest saw Windows 11, Ubuntu Desktop, and the VMware Workstation virtualization software being successfully exploited by security researchers.

Ubuntu

The highlight of the day was the Ubuntu Desktop operating system whose zero-day vulnerability was exploited three times by three different teams: Kyle Zeng from ASU SEFCOM (a double free bug), Mingi Cho of Theori [a Use-After-Free (UAF) vulnerability], and Bien Pham (@bienpnn) of Qrious Security.

UbuntuWindows 11VMWare WorkstationSummary of Day 1 and Day 2 at the Pwn2Own Vancouver 2023Overall Summary of the Pwn2Own Vancouver 2023What is Pwn2Own?

Kyle Zeng and Mingi Cho earned $30,000 and 3 Master of Pwn points each for their exploits on the Ubuntu operating system. On the other hand, Bien Pham earned only $15,000 and 1.5 Master of Pwn points for the exploit, as it was a previously known bug.

Windows 11

Thomas Imbert (@masthoon) from Synacktiv (@Synacktiv) hacked a fully patched Windows 11 system in the EoP category using a UAF bug against Microsoft Windows 11. This earned him $30,000 and 3 Master of Pwn points.

VMWare Workstation

Lastly, the STAR Labs (@starlabs_sg) team used an uninitialized variable and UAF exploit chain against VMWare Workstation for which they earned $80,000 and 8 Master of Pwn points.

Summary of Day 1 and Day 2 at the Pwn2Own Vancouver 2023

On the first day of the contest, security researchers were awarded $375,000 (and a Tesla Model 3) for demoing 12 zero-days in the Adobe Reader, Microsoft SharePoint, Oracle VirtualBox, Tesla Model 3, Ubuntu Desktop, Windows 11, and Apple macOS. Further, on the second day, total prize money of $475,000 was awarded to the successful researchers and teams who managed to exploit 10 unique zero-days in Oracle VirtualBox, Microsoft Teams, Tesla, and Ubuntu Desktop.

Overall Summary of the Pwn2Own Vancouver 2023

The three day Pwn2Own Vancouver 2023 hacking competition saw contestants disclosing 27 unique zero-day exploits and winning a combined $1,035,000 as well as a car. The winners of the competition and Masters of Pwn on the leaderboard are offensive security firm, Synacktiv (@Synacktiv) who earned 53 points, $530,000, and a Tesla Model 3 for their exploits. They also received a $25,000 bonus and Platinum status in 2024. Last year, the Pwn2Own Vancouver 2022 event awarded $1,155,000 to security researchers for hacking the Tesla Model 3 Infotainment System and exploiting Microsoft Teams, Windows 11, and Ubuntu Desktop by using multiple zero-day bugs and exploit chains.

What is Pwn2Own?

Pwn2Own is a hacking competition organized each year by Trend Micro’s Zero Day Initiative (ZDI) where ethical hackers, cybersecurity experts, and several other contestants take part. In the Pwn2Own hacking contest, security researchers exploit the latest and most popular mobile devices and demonstrate their skills and disclose major zero-day vulnerabilities to tech companies. Winners of the contest receive the device that they have exploited as well as a cash prize. Following the hacking event, vendors have 90 days to fix zero-day vulnerabilities demoed and disclosed during the Pwn2Own. Once the deadline is over, ZDI publicly discloses the flaws irrespective of the patch status.