A wave of attacks that started in July 2024 rely on a less common technique called AppDomain Manager Injection, which can weaponize any Microsoft .NET application on Windows. […] Read More
The all in one place for non-profit security aid.
A wave of attacks that started in July 2024 rely on a less common technique called AppDomain Manager Injection, which can weaponize any Microsoft .NET application on Windows. […] Read More
Temu denies breach after hacker claims theft of 87 million data records
Temu denies it was hacked or suffered a data breach after a threat actor claimed to be selling a stolen database containing 87 million records of customer information. […] Read More
Hackers Exploited Ubuntu, Adobe Reader, Sharepoint, Tesla ECU & Oracle VM
[[{“value”:”
This year’s Pwn2Own Vancouver 2024 event is expected to be the largest in Vancouver history, both in terms of entries and potential rewards.
The event’s victors will receive over $1,300,000 in cash and prizes, which include a Tesla Model 3.
The results of Pwn2Own Vancouver 2024’s first day have been released, and the hackers particularly hacked Oracle VM, Adobe Reader, Microsoft Sharepoint, Tesla ECU, and Ubuntu.
As of the end of Day 1, the winners have received $732,500 USD for 19 distinct 0 days.
That brings a close to the first day of #Pwn2Own Vancouver 2024. We awarded $732,500 for 19 unique 0-days. @Synacktiv currently leads in the hunt for Master of Pwn, but @_manfp is right behind them. Here are the full standings: pic.twitter.com/GbtDzbCFgO
— Zero Day Initiative (@thezdi) March 21, 2024
AbdulAziz Hariri of Haboob SA was able to launch the event by successfully executing their code execution attack against Adobe Reader.
He combined a Command Injection issue with an API Restriction Bypass. In addition to 5 Master of Pwn points, he receives $50,000.
Confirmed! @abdhariri used an API Restriction Bypass and a Command Injection bug to get code execution on #Adobe Reader. In doing so, he earns $50,000 and 5 Master of Pwn points. #Pwn2Own #P2OVancouver pic.twitter.com/OPdEkeLspc
— Zero Day Initiative (@thezdi) March 20, 2024
The LPE attack against Windows 11 was successfully carried out by the DEVCORE Research Team.
They merged a few bugs, one of which was a TOCTOU race condition that may be dangerous. Three Master of Pwn points and $30,000 are theirs.
With just one UAF bug, Seunghyun Lee (@0x10n) of the KAIST Hacking Lab was able to execute their exploit of the Google Chrome web browser. They get six Master of Pwn points and $60,000.
Confirmed! Seunghyun Lee (@0x10n) of KAIST Hacking Lab used a UAF to get code execution in the #Google Chrome renderer. He earns $60,000 and 6 Master of Pwn points. #Pwn2Own pic.twitter.com/yIqPLXO9sv
— Zero Day Initiative (@thezdi) March 20, 2024
Combining a heap-based buffer overflow, a UAF, and an uninitialized variable flaw, Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) from Theori (@theori_io) were able to escape VMware Workstation and run code as SYSTEM on the host Windows OS.
They receive $130,000 and 13 Master of Pwn points for their outstanding achievement.
Confirmed! Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) from Theori (@theori_io) combined three different bugs to escape #VMware Workstation and then execute code as SYSTEM on the host OS. This impressive feat earns them $130,000 and 13 Master of Pwn points. #Pwn2Own pic.twitter.com/JkVgORdcck
— Zero Day Initiative (@thezdi) March 20, 2024
Two Oracle VirtualBox issues, including a buffer overflow, were combined with a Windows UAF by Bruno PUJOS and Corentin BAYET from REverse Tactics (@Reverse_Tactics) to enable the guest OS to escape and run code as SYSTEM on the host OS.
They receive $90,000 and nine Master of Pwn points for this outstanding research.
The Synacktiv (@synacktiv) team exploited the Tesla ECU with Vehicle (VEH) CAN BUS Control by using a single integer overflow.
The winners receive a new Tesla Model 3 (their second!), $200,000, and 20 Master of Pwn points.
Confirmed!!! The @Synacktiv team used a single integer overflow to exploit the #Tesla ECU with Vehicle (VEH) CAN BUS Control. The win $200,000, 20 Master of Pwn points, and a new Tesla Model 3 (their second!). Awesome work as always. #Pwn2Own #P2OVancouver pic.twitter.com/FcB4fTiOa7
— Zero Day Initiative (@thezdi) March 20, 2024
Manfred Paul (@_manfp) leverages a PAC bypass exploiting an Apple Safari vulnerability to obtain RCE on the browser via an integer underflow flaw.
He gains six Master of Pwn points and $60,000 for himself.
Oracle VirtualBox was exploited by Dungdm (@_piers2) of Viettel Cyber Security using two bugs, including the always dangerous race condition.
They get four Master of Pwn points and $20,000 as the round three winners.
That concludes Pwn2Own Vancouver 2024’s first day. Let’s see if Manfred Paul can catch up to Synacktive or if they can maintain their Master of Pwn lead.
Follow this link to view this highly competitive contest’s detailed itinerary. Additionally, you can find a comprehensive overview of the Pwn2Own Vancouver 2024 Day 1 results here.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Hackers Exploited Ubuntu, Adobe Reader, Sharepoint, Tesla ECU & Oracle VM appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
HHS will investigate Change Healthcare attack. CISA says two of its systems were breached through Ivanti flaws.
Midnight Blizzard makes use of data stolen from Microsoft. Stanford University discloses scale of last year’s ransomware attack and data breach. French government hit by “intense” cyberattacks. Read More
The CyberWire