Pwn2Own Ireland 2024 concluded with an impressive prize pool surpassing $1 million, showcasing groundbreaking vulnerabilities across prominent software and hardware devices. Days 3 and 4 saw white hat hacking teams exploit high-stakes vulnerabilities and navigate bug collisions to cap off an event that unearthed over 70 zero-day vulnerabilities.
Check our previous coverage for the results of Day 1 and Day 2, where bug hunters uncovered 52 and 51 zero-day vulnerabilities respectively.
Day 3 highlights
Day 3 continued the intense competition, with payouts pushing close to the million-dollar mark. Here are the key exploits and incidents from Day 3:
Viettel Cyber Security: Ha The Long and Ha Anh Hoang from Viettel scored $10,000 and 4 Master of Pwn points by exploiting a QNAP TS-464 NAS through a single command injection vulnerability. Viettel Cyber Security went on to further demonstrate their prowess by uncovering a type confusion bug in the Lexmark CX331adwe printer, bagging an additional $20,000 and 2 points.
DEVCORE Research Team: Pumpkin Chang and Orange Tsai of DEVCORE used a CRLF Injection, Auth Bypass, and SQL Injection combo to exploit the Synology BeeStation, pocketing $20,000 and 4 Master of Pwn points.
PHP Hooligans / Midnight Blue: This team creatively demonstrated an Out-of-Bounds (OOB) Write and memory corruption to bridge from the QNAP QHora-322 router to a Lexmark printer, where they executed their exploit by printing a symbol of their success. The sophisticated “SOHO Smashup” was awarded $25,000 and 10 Master of Pwn points.
Zero Day Initiative
Day 3 also had several instances of bug collisions, reflecting the intense competition and focus on similar vulnerabilities. For instance, STEALIEN Inc. successfully breached the Lorex camera but ran into a collision with an earlier exploit, earning them a reduced prize of $3,750 and 1.5 points. Likewise, Team Smoking Barrels executed an exploit on the Synology BeeStation, claiming $10,000 and 4 points, despite running into similar overlaps in vulnerabilities.
Final day results
On Day 4, Pwn2Own Ireland finally broke the million-dollar barrier, awarding over $1,066,625 across four days — marking the fourth consecutive event to reach the seven-figure payout.
Team Smoking Barrels made an early attempt to exploit TrueNAS X with two vulnerabilities, achieving partial success despite one of the bugs having been used previously. The collision led to a reward of $20,000 and 2 points.
Chris Anastasio and Fabius Watson of Team Cluck exploited QNAP QHora-322 to bridge to the Lexmark CX331adwe with a chain of six vulnerabilities. A bug collision reduced their payout to $23,000, though they amassed an impressive 9.25 Master of Pwn points for their efforts.
PHP Hooligans / Midnight Blue closed the contest with a final success, employing an integer overflow to exploit the Lexmark printer. Their creative approach earned them $10,000 and 2 Master of Pwn points, ending the event on a high note.
Viettel Cyber Security wins Pwn2Own ireland
With an impressive series of successful exploits across multiple devices, Viettel Cyber Security emerged as the top team, winning the prestigious Master of Pwn title with a total of 33 points and $205,000 in earnings. Their efforts spanned QNAP NAS devices, Synology BeeStations, Lexmark printers, and other SOHO devices, demonstrating comprehensive expertise across a wide array of vulnerabilities.
Zero Day Initiative
Pwn2Own Ireland 2024 highlighted the critical security risks embedded in everyday devices, with successful exploitation of over 70 zero-day vulnerabilities across SOHO routers, NAS devices, and IoT equipment.
The next Pwn2Own event will focus on automotive hacking and is scheduled for January 22-24, 2025, in Tokyo. This specialized event will explore vulnerabilities in modern vehicles, building on the success of previous Pwn2Own Automotive contests.
Apple Invites Scrutiny of AI Service with Million-Dollar Bounties
Leave a Reply