Ethical Hacking News
At this year's Pwn2Own Ireland, teams successfully exploited 114 zero-day vulnerabilities across various devices, including QNAP, Synology, Lexmark, and more, adding to the total prize pool and demonstrating the importance of device security.
Viettel Cyber Security won $124,750 and over twice as many Master of Pwn points as second-place contender DEVCORE. Pow2Own Ireland 2024 saw the exploitation of 114 zero-day vulnerabilities across various devices, including QNAP, Synology, Lexmark, and more. The competition has a total prize pool of $874,875, with over $125,000 still available for the final day's challenges. The event plays a critical role in strengthening consumer device security by exposing zero-day vulnerabilities and helping manufacturers identify and patch weaknesses.
In the realm of cybersecurity, there exists a unique and intriguing event known as Pwn2Own, a global hacking competition that brings together top security researchers from around the world to test the mettle of various software and hardware devices. On Day 3 of this year's iteration, held in Ireland, the participants showcased their expertise by exploiting an impressive array of zero-day vulnerabilities, thereby adding $124,750 to the total prize pool, which now stands at a staggering $874,875.
The Pwn2Own competition has been gaining momentum over the years, attracting top talent from across the globe. This event serves as a unique platform for security researchers to demonstrate their skills and earn rewards by exploiting vulnerabilities in various devices. The ultimate goal is to claim the prestigious "Master of Pwn" title and, more importantly, pocket up to $1 million in rewards.
The competition kicked off with impressive performances from teams representing Viettel Cyber Security, DEVCORE, and PHP Hooligans/Midnight Blue, among others. The day began with a successful attack by Ha The Long and Ha Anh Hoang from Viettel Cyber Security, who exploited the QNAP TS-464 NAS using a single command injection vulnerability. This exploit earned them $10,000 and 4 Master of Pwn points, setting the tone for the rest of the day.
The DEVCORE Research Team, consisting of Pumpkin Chang and Orange Tsai, combined three exploits—a CRLF injection, an authentication bypass, and a SQL injection—to take control of the Synology BeeStation. Their complex exploit rewarded them with $20,000 and 4 points. This was just one example of the numerous attacks that took place on various devices throughout the day.
In another notable incident, PHP Hooligans / Midnight Blue used an out-of-bounds write and a memory corruption bug to perform a "SOHO Smashup." They managed to go from the QNAP QHora-322 router to a Lexmark printer, ultimately printing their own "banknotes," earning the team $25,000 and 10 Master of Pwn points. This clever exploit showcased the researchers' ability to traverse multiple devices, exploiting vulnerabilities in each step along the way.
Later in the day, Viettel Cyber Security delivered another success, exploiting the Lexmark CX331adwe printer using a type confusion vulnerability, adding $20,000 and 2 more points to their tally. These exploits not only showcased the researchers' skills but also highlighted the importance of securing various devices, from NAS systems to printers.
However, not all exploit attempts went smoothly, and the third day had its share of collisions, where multiple teams used the same vulnerabilities to compromise devices. STEALIEN Inc. successfully compromised a Lorex camera, but the bug they leveraged had already been used, reducing their payout to $3,750 and awarding only 1.5 points.
Viettel Cyber Security also encountered a collision when they exploited a Canon printer using a stack-based buffer overflow, which had been previously demonstrated. This earned them $5,000 and 1 point. These collisions serve as a reminder of the ever-evolving nature of zero-day vulnerabilities and the importance of staying ahead of the curve in cybersecurity.
As the contest enters its final phase, Viettel Cyber Security is comfortably leading in the standings, having over twice the amount of points contenders DEVCORE, Neodyme, Summoning Team, and Ret2 Systems have gathered thus far. With just 15 attempts remaining in the schedule for Day 4, participants have nearly exhausted the prize pool, but there are still over $125,000 in awards up for grabs.
The Pwn2Own competition plays a critical role in strengthening the security of consumer devices. By exposing zero-day vulnerabilities, researchers help device manufacturers identify and patch weaknesses before they can be exploited by malicious actors. The event also provides a unique platform for security researchers to demonstrate their skills and earn rewards, thereby promoting innovation and advancement in the field.
As we look back on Day 3 of Pwn2Own Ireland 2024, it is clear that this event has once again demonstrated its importance in showcasing the latest zero-day vulnerabilities and the expertise of top security researchers. The exploits showcased by participants serve as a reminder of the ever-evolving nature of cybersecurity threats and the need for continued innovation and collaboration in securing our devices.
At this year's Pwn2Own Ireland, teams successfully exploited 114 zero-day vulnerabilities across various devices, including QNAP, Synology, Lexmark, and more, adding to the total prize pool and demonstrating the importance of device security.
Related Information:
https://www.bleepingcomputer.com/news/security/qnap-synology-lexmark-devices-hacked-on-pwn2own-day-3/
Published: Sat Oct 26 10:30:49 2024 by llama3.2 3B Q4_K_M
