On the second day of Pwn2Own Ireland 2024, researchers demonstrated an exploit for the Samsung Galaxy S24.
On day two of Pwn2Own Ireland 2024, hackers demonstrated attacks against 51 zero-day vulnerabilities, earning a total of $358,625, prizes that we have sum to the $516,250 earned by participants on the first day of the event.
With the $516,250 earned by participants on the first day of the event, the total payout at the hacking contest organized by Trend Micro’s Zero Day Initiative (ZDI) has already reached nearly $850,000, and there are two more days left.
“Today, we awarded $358,625 – which brings the event total to $847,875. The Viettel Cyber Security team has a commanding lead for Master of Pwn, but with two days left, there still could be changes.” reads the announcement published by ZDI.
The exploit of the day was demonstrated by Ken Gannon of NCC Group who chained five vulnerabilities to hack a Samsung Galaxy S24 device and get a shell and the installation of an app.
He earned $50,000 for an exploit chain that involved five vulnerabilities and achieved a shell and 5 Master of Pwn points.
PHP Hooligans / Midnight Blue (@midnightbluelab) used a command injection bug to get code execution on the Synology BeeStation BST150-4T. The team earned $40,000 and four Master of Pwn points.
Corentin BAYET (@OnlyTheDuck) of @Reverse_Tactics chained three bugs to exploit the QNAP QHora-322 to QNAP TS-464, earning $41,750 and 8.5 Master of Pwn points, though one bug had been used before.
NiNi (@terrynini38514) of DEVCORE Research Team demonstrated an exploit an Improper Verification of Cryptographic Signature bug against the AeoTec Smart Home Hub. They earn $40,000 and 4 Master of Pwn points.
Other exploits demonstrated during day two of Pwn2Own Ireland 2024 targeted Sonos Era 300 smart speaker, Canon and HP printers, Lorex and Ubiquiti cameras, and QNAP and Synology NAS devices.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Pwn2Own Ireland 2024)