Ethical Hacking News
Hackers Exploit 52 Zero-Days on First Day of Pwn2Own Ireland
In a stunning display of cybersecurity prowess, hackers exploited 52 zero-day vulnerabilities during the first day of Pwn2Own Ireland. The competition saw top security researchers and red team operators showcase their skills by targeting various devices, including WiFi cameras, smart speakers, routers, NAS systems, and mobile phones. With a prize pool of $1 million, this event promises to be an exhilarating ride for those involved. Read more about the exciting display of cybersecurity expertise that unfolded during the first day of Pwn2Own Ireland.
52 zero-day vulnerabilities were exploited across various devices during the first day of Pwn2Own Ireland. Pwn2Own Ireland is a competition that promotes responsible disclosure of security vulnerabilities and allows companies to patch identified issues before they can be exploited in malicious attacks. Winners earned significant payouts, with Sina Kheirkhah's team taking home $100,000 for exploiting multiple vulnerabilities across devices. Other notable attempts included exploits of smart speakers, routers, NAS systems, and mobile phones, all using zero-day vulnerabilities. The competition serves as a reminder of the importance of responsible disclosure of security vulnerabilities and promotes a safer online environment.
Hackers, or rather, skilled security researchers and red team operators, showcased their prowess by exploiting a whopping 52 zero-day vulnerabilities across various devices during the first day of Pwn2Own Ireland. The competition, which aims to identify and exploit previously unknown security flaws in various products and services, has once again proven to be an exciting display of cybersecurity expertise.
Pwn2Own Ireland, part of the Zero-Day Initiative, is a popular event that brings together top security researchers and manufacturers to test the limits of their products. The competition is designed to promote responsible disclosure of security vulnerabilities, allowing companies to patch the identified issues before they can be exploited in malicious attacks.
The first day of Pwn2Own Ireland saw participants demonstrate their skills by targeting a range of devices, including WiFi cameras, smart speakers, routers, NAS systems, and mobile phones. The exploits were made possible through various zero-day vulnerabilities, which are software bugs that have not yet been identified or patched by the affected vendors.
Among the winners was Viettel Cyber Security, whose team took an early lead in the competition with 13 points. Their success came courtesy of a stack-based buffer overflow vulnerability exploited in Lorex 2K WiFi cameras. The exploit earned them $30,000 and 3 points.
Sina Kheirkhah from Summoning Team stole the show with a chain of nine vulnerabilities that allowed them to pivot from QNAP QHora-322 routers to TrueNAS Mini X devices. This impressive feat earned them a whopping $100,000 payout and 10 Master of Pwn points.
Other notable attempts included RET2 Systems' Jack Dates, who successfully executed an out-of-bounds (OOB) write exploit on the Sonos Era 300 smart speaker, securing $60,000 and 6 points. His exploit allowed full control over the device.
The competition also saw Team Neodyme leverage a stack-based buffer overflow to target the HP Color LaserJet Pro MFP 3301fdw printer, earning them $20,000 and 2 points. PHP Hooligans / Midnight Blue took home $20,000 for exploiting a Canon imageCLASS MF656Cdw printer using a single bug.
ExLuck of ANHTUD joined the leaderboard with four new bugs, including improper certificate verification and a hardcoded cryptographic key, to exploit the QNAP TS-464 NAS device. This effort earned them $40,000 and 4 Master of Pwn points.
Rapid7's Ryan Emmons and Stephen Fewer successfully exploited the Synology DiskStation DS1823xs+ via an improper neutralization of argument delimiters bug, earning $40,000 and 4 points.
However, not all participants were successful. Summoning Team struggled to execute their QNAP TS-464 and Synology BeeStation BST150-4T exploits in time, while Synacktiv experienced a bug collision in their Lorex 2K camera exploit, resulting in a reduced payout of $11,250.
Despite the setbacks, the first day of Pwn2Own Ireland was an exciting display of cybersecurity expertise. The competition is expected to continue with more challenges and high-stakes hacks as participants aim to exploit security issues found in fully patched SOHO devices. With a prize pool of $1 million, this event promises to be an exhilarating ride for those involved.
The success of Pwn2Own Ireland serves as a reminder of the importance of responsible disclosure of security vulnerabilities. By identifying and exploiting zero-day bugs, security researchers can help companies patch these issues before they become exploitable in malicious attacks. This proactive approach not only protects consumers but also promotes a safer online environment for everyone.
As the competition continues, one thing is certain – the skills and expertise of the participants will be put to the test once again. The outcome may vary, but the excitement and anticipation surrounding Pwn2Own Ireland are sure to keep cybersecurity enthusiasts glued to their screens.
Related Information:
https://www.bleepingcomputer.com/news/security/hackers-exploit-52-zero-days-on-the-first-day-of-pwn2own-ireland/
Published: Wed Oct 23 10:42:05 2024 by llama3.2 3B Q4_K_M
