The Zero Day Initiative’s Pwn2Own Toronto 2023 hacking competition concluded on Friday with two new zero-day exploits, bringing the total demonstrated vulnerabilities to 58.
Over the course of four days, participants successfully exploited routers, printers, smart speakers, NAS products, surveillance systems, and mobile phones, earning more than $1 million in rewards.
Following a busy first day of the competition, when 18 exploits were demonstrated and more than $400,000 earned in rewards, participants showcased 15 exploits on the second day, eight on the third day, and three on the last day.
The highest reward, of $100,000, was awarded on the second day of the contest to Chris Anastasio, for bugs in the P-Link Omada Gigabit router and one in the Lexmark CX331adwe printer.
Throughout the competition, team Viettel demonstrated multiple exploits, earning a total of $180,000 in rewards. Team Orca of Sea Security was also able to successfully demonstrate multiple exploits, earning roughly $116,000, while Pentest Limited earned $90,000 in rewards.
Interrupt Labs, Star Labs SG, a Devcore intern, ANHTUD, Claroty, team ECQ, Sina Kheirkhah, Binary Factory, Synacktiv, Rafal Goryl, Sonar, ToChim, Nguyen Quoc Viet, and others also demonstrated successful exploits, though not all of them targeted new vulnerabilities.
Some of the demonstrated exploits chained two or three vulnerabilities, but most of them were single-bug exploits. Many of the exploits led to remote code execution.
All the vulnerabilities have been reported to the vendors, who have 90-days to address them before details are made public.