Hackers Exploit Microsoft Teams, Virtualbox, And Tesla In Pwn2own Day Two

By Editor Last updated Mrz 4, 2025

The second day of Pwn2Own Vancouver 2023 witnessed successful exploits on various targets, including Microsoft Teams, Oracle VirtualBox, and Tesla. Hackers participating in the event were able to exploit these targets using zero-day vulnerabilities, earning a total of $475,000 in cash prizes. Notably, both Team Viettel and Synacktiv successfully attacked Oracle VirtualBox, utilizing different vulnerabilities and securing cash prizes and Master of Pwn points. Furthermore, Team Viettel managed to exploit Microsoft Teams using a two-bug chain, while Synacktiv exploited Tesla Infotainment through a heap overflow and an OOB write. Privilege escalation on Ubuntu Desktop was also achieved by Tanguy Dubroca from Synacktiv. The competition encompassed several categories, such as enterprise applications, communications, servers, virtualization, automotive, and local escalation of privilege. A total of $850,000 was awarded for the 10 unique zero-day exploits on Day 2. With 19 entries targeting nine different targets, the event offered a potential prize pool of $1,080,000, along with two Tesla Model 3 cars.

Quickjump

Key Takeaways

Participants received $475,000 in cash prizes for 10 unique zero-day exploits.
Targets hacked included Tesla Model 3, Microsoft Teams, Oracle VirtualBox, and Ubuntu Desktop.
Team Viettel used a 2-bug chain to hack Microsoft Teams, earning $75,000 and 8 Master of Pwn points.
David Berard and Vincent Dehors from Synacktiv exploited Tesla Infotainment using a heap overflow and an OOB write, earning $250,000 and 25 Master of Pwn points.

Pwn2Own Vancouver 2023 Day 2

On Day 2 of Pwn2Own Vancouver 2023, participants were awarded a total of $475,000 in cash prizes for successfully exploiting 10 unique zero-day vulnerabilities in targets such as Microsoft Teams, Oracle VirtualBox, and Tesla Model 3. These exploits showcased the techniques utilized by hackers to compromise software security. In the case of Oracle VirtualBox, the exploit involved leveraging an uninitialized variable and a UAF (Use-After-Free) flaw. Another team demonstrated a 3-bug chain against Oracle VirtualBox. Microsoft Teams was hacked using a 2-bug chain. The most notable exploit involved the Tesla Model 3, where hackers exploited heap overflow and an OOB (Out-of-Bounds) write in the Tesla Infotainment system. These zero-day exploits highlight the critical impact they can have on software security and the urgent need for robust vulnerability management and patching strategies.

Targets Hacked

The targets that were compromised during the second day of the Pwn2Own Vancouver 2023 event included Tesla Model 3, Microsoft Teams, Oracle VirtualBox, and Ubuntu Desktop. These successful exploits highlight the impact of zero-day vulnerabilities on software security. Zero-day exploits refer to vulnerabilities in software that are unknown to the vendor and for which no patch or fix is available. They are highly valuable to hackers as they can be used to launch attacks without detection. To prevent and mitigate zero-day attacks, organizations can employ strategies such as regularly updating software to the latest versions, implementing security patches promptly, utilizing intrusion detection and prevention systems, conducting security audits, and practicing secure coding techniques. These measures can help enhance software security and protect against zero-day vulnerabilities.

Exploits on Oracle VirtualBox

Exploiting an uninitialized variable and a UAF flaw, Team Viettel and Synacktiv successfully compromised Oracle VirtualBox during the Pwn2Own Vancouver 2023 event. The vulnerabilities allowed the hackers to gain unauthorized access and control over the virtualization software. Team Viettel, led by dungdm, leveraged an uninitialized variable vulnerability and a UAF (Use-After-Free) flaw to exploit Oracle VirtualBox. This technique earned them $40,000 and 4 Master of Pwn points. Additionally, Thomas Imbert and Thomas Bouzerar from Synacktiv demonstrated a 3-bug chain against Oracle VirtualBox, utilizing the same UAF flaw. Their successful exploitation earned them $80,000 and 8 Master of Pwn points. These exploits highlight the importance of addressing uninitialized variable vulnerabilities and UAF flaws in software to prevent unauthorized access and compromise of sensitive information.

Hacking of Microsoft Teams

The successful compromise of a widely used communication platform during the Pwn2Own Vancouver 2023 event highlighted the potential vulnerabilities that exist in software systems. The hacking of Microsoft Teams by Team Viettel using a 2-bug chain not only earned them $75,000 and 8 Master of Pwn points but also raised concerns about the implications on remote work security. As Microsoft Teams is widely used for remote collaboration and communication, its exploitation underscores the need for robust security measures in such platforms to protect sensitive data and ensure the privacy of users. Additionally, the Tesla zero-day exploits demonstrated by David Berard and Vincent Dehors from Synacktiv, which earned them $250,000 and 25 Master of Pwn points, shed light on the potential impact of such vulnerabilities on the automotive industry. These exploits highlight the need for strong security measures in connected vehicles to prevent unauthorized access and potential safety risks.

Tesla Zero-Day Exploits

Tesla vehicles were targeted and successfully compromised during the Pwn2Own Vancouver 2023 event, revealing critical zero-day vulnerabilities in the automotive industry. Synacktiv, a renowned hacking team, successfully exploited Tesla Infotainment using a heap overflow and an out-of-bounds write. This exploit allowed them to gain control over the vehicle’s infotainment system, potentially compromising the entire car’s functionality. The vulnerabilities discovered by Synacktiv highlight the importance of rigorous security measures in the automotive sector, as compromising these systems can have severe consequences, including remote control of the vehicle or unauthorized access to sensitive data. The successful exploits against Tesla in Pwn2Own Vancouver 2023 serve as a wake-up call for the automotive industry to prioritize cybersecurity and implement robust measures to protect against such attacks.

Frequently Asked Questions

How much cash prize did participants receive for the zero-day exploits on Day 2 of Pwn2Own Vancouver 2023?

Participants received a cash prize of $475,000 for the zero-day exploits on Day 2 of Pwn2Own Vancouver 2023, which included hacks on Microsoft Teams, Oracle VirtualBox, Tesla Model 3, and Ubuntu Desktop.

Which team exploited Oracle VirtualBox and what vulnerabilities did they use?

Dungdm from Team Viettel exploited Oracle VirtualBox by utilizing an uninitialized variable and a UAF flaw. They earned a cash prize of $40,000 and 4 Master of Pwn points for their successful zero-day exploits in Pwn2Own Vancouver 2023.

How did Team Viettel hack Microsoft Teams and what was their reward?

Team Viettel hacked Microsoft Teams using a 2-bug chain. They exploited vulnerabilities in the software, but the specific details are not mentioned. They were rewarded $75,000 for their successful exploit. To improve security measures, Microsoft should focus on patching vulnerabilities and implementing stricter access controls.

What vulnerabilities did David Berard and Vincent Dehors from Synacktiv exploit to target Tesla Infotainment?

David Berard and Vincent Dehors from Synacktiv targeted Tesla Infotainment by exploiting vulnerabilities, specifically a heap overflow and an out-of-bounds write. Their successful exploit earned them $250,000 and 25 Master of Pwn points in the Pwn2Own hacking contest.

What was the total amount of cash prizes awarded on Day 2 of Pwn2Own Vancouver 2023?

On Day 2 of Pwn2Own Vancouver 2023, a total of $475,000 in cash prizes were awarded. Participants received cash prizes for their successful exploits, with a total of $850,000 being awarded for 10 unique zero-days.