$874,000 Awarded: Pwn2Own Heats Up with 51 New Zero-Days

The thrilling Pwn2Own 2024 competition continues in Ireland, where participants showcase their prowess in uncovering vulnerabilities in popular devices. Day two revealed 51 zero-day vulnerabilities and awarded participants a cumulative prize of $358,625, bringing the total payouts across both days to over $874,000.

Currently leading the race for the coveted “Master of Pwn” title and a $1 million prize is the Viettel Cyber Security team. However, with two days remaining, the leaderboard may yet shift.

One highlight of the second day was Team ANHTUD’s success, where members exploited a stack overflow vulnerability to breach the Canon imageCLASS MF656Cdw printer, earning $10,000 and two points. Meanwhile, on another front, NCC Group’s Ken Gannon leveraged five bugs to hack the Samsung Galaxy S24 smartphone, securing $50,000 and five points.

The Viettel Cyber Security team also showcased its expertise by using a Use-After-Free vulnerability to breach the Sonos Era 300 speaker, netting $30,000. Similarly, engineers from InfoSect took control of a Sonos speaker, adding another $30,000 to their team’s earnings.

There were setbacks as well. The Rapid7 team was unable to complete the hack on the Lorex 2K camera, while Team DEVCORE didn’t finish their attack on a SOHO Smashup task involving a router and printer combo. Nonetheless, attempts that ended in partial successes or encountered previously used bugs still earned participants monetary rewards and additional points.

Among the impressive feats was Team Cluck’s hack of the QNAP TS-464 NAS device using a CLRF injection, which earned them $20,000. YingMuo achieved a similarly successful hack on a QNAP device through SQL injection.

The competition is far from over, with not only a substantial prize pool at stake but also the prestigious title of “Master of Pwn.” Ahead lie new challenges, promising even more intrigue and discoveries.