Second day of Pwn2Own Berlin: sandbox breakouts and AI exploits

On the second day of the Pwn2Own exploit competition in Berlin, security researchers took to the stage to exploit vulnerabilities in Redis, VirtualBox and Windows 11. However, Nvidia's AI server Triton was particularly popular, with several contestants trying their hand at it. Organizer Trend Micro has already distributed over 600,000 US dollars in prize money.

The discovery and exploitation of security vulnerabilities usually takes place in secret – whether by "whitehat" security researchers or cyber criminals. Few security experts seek a stage to publicly test their zero-day exploits. However, those who are lured to Pwn2Own by the prospect of fame and five- to six-figure prize money do just that.

In various categories such as AI, cloud-native applications or web browsers, participants in the competition exploit previously found security vulnerabilities that are unknown to the manufacturer – the infamous "zero days". The organizers provide them with laptops with the target application, such as the Firefox browser, and thirty minutes. If the hackers manage to gain root access or break out of the browser or virtualization environment during this time, they receive the prize money.

Plenty of prize money

And this can be considerable: A Singaporean team pocketed 150,000 US dollars for breaking out of ESXi; by the end of the second day of the competition, the Zero Day Initiative (ZDI) had already paid out over 695,000 dollars. In total, the organizers expect to pay out almost one million dollars.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein externes YouTube-Video (Google Ireland Limited) geladen.

YouTube-Video immer laden YouTube-Video jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Google Ireland Limited) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

The ZDI then passes on the security gaps and exploits to the manufacturers, who also have their own representatives on site. For example, two security experts from Microsoft observed a Sharepoint attack from the audience.

Day three with livestream

All successful and failed exploits will not only end up in the "Disclosure Room" for disclosure, but also – also on YouTube, stripped of technical details –. There will also be livestreams of the attacks against Firefox, Virtualbox, VMware and Windows 11 on May 17, the last day of the competition.

The Pwn2Own exploit competition has been organized by Trend Micro since 2007 and will take place three times this year: in Tokyo, Berlin and Cork, Ireland. Held at the Hilton Hotel in Berlin, the competition is part of the OffensiveCon security conference.

(cku)