Pinned
TrendAI Zero Day Initiative
4,359 posts
TrendAI Zero Day Initiative
@thezdi
TrendAI Zero Day Initiative™ (ZDI) is a program designed to reward security researchers for responsibly disclosing vulnerabilities.
- That's a wrap! Congrats to @fluoroacetate on winning Master of Pwn. There total was $375,000 (plus a vehicle) for the week. Superb work from this great duo.
- CONFIRMED!! Ken Gannon (@Yogehi) of NCC Group (@NCCGroupInfosec) used 5 different bugs, including a path traversal, to get a shell & install an app on the #Samsung Galaxy S24. He earns $50,000 and 5 Master of Pwn points. #Pwn2Own #P2OIreland
- Windows #UAC isn't a favorite feature, but @HexKitchen details a bug submitted by Eduardo Braun Prado that shows how you can use it to escalate from guest to SYSTEM (includes video)
- The @fluoroacetate duo does it again. They used a type confusion in #Edge, a race condition in the kernel, then an out-of-bounds write in #VMware to go from a browser in a virtual client to executing code on the host OS. They earn $130K plus 13 Master of Pwn points.
- Confirmed! Valentina Palmiotti (@chompie1337) with IBM X-Force used an Improper Update of Reference Count bug to escalate privileges on Windows 11. She nailed her first #Pwn2Own event and walks away with $15,000 and 3 Master of Pwn points.
- CONFIRMED! @Synacktiv successfully executed a TOCTOU exploit against Tesla – Gateway. They earn $100,000 as well as 10 Master of Pwn points and this Tesla Model 3. #Pwn2Own #P2OVancouver
- Confirmed! @5aelo used a JIT optimization bug in the browser, a macOS logic bug, & a kernel overwrite to execute code to successfully exploit Apple Safari. This chain earned him $65K & 6 points Master of Pwn points.
GIF - CONFIRMED! @Synacktiv used a heap overflow & an OOB write to exploit the Infotainment system on the Tesla. When they gave us the details, we determined they actually qualified for a Tier 2 award! They win $250,000 and 25 Master of Pwn points. 1st ever Tier 2 award. Stellar work!
- Confirmed! The Devcore team used an authentication bypass and a privilege escalation to take over the #Exchange server. They win the full $200,000 and 20 Master of Pwn points.
GIF - While @bl4sty only scored a COLLISION (non-unique bug) - Peter definitely gets a boatload of STYLE POINTS for this hack on a Canon printer @ #P2OToronto #Pwn2Own
00:00 - Success! OV was able to demonstrate his exploit of #Microsoft #Teams. They're off to the disclosure room with the details. If confirmed, it will be worth $200,000 USD and 20 Master of Pwn points.
- Wow. @mj0011sec did it. Used heap overflow in Edge, type confusion in kernel, & uninit buffer in VMware for complete virtual machine escape.
