Zero Day Initiative — Pwn2Own Ireland 2024: Day Three Results



Welcome to Day Three of our first ever Pwn2Own Ireland competition! We’ve already awarded $874,875, and we have 15 attempts left to go. Will we hit the $1,000,000 mark or will all remaining attempts end up in bug collisions? Stay tuned to find out. All times are Irish Standard Time (GMT +1:00).

SUCCESS – Ha The Long with Ha Anh Hoang of Viettel Cyber Security (@vcslab) used a single command injection bug to exploit the QNAP TS-464 NAS. Their fourth-round win nets them $10,000 and 4 Master of Pwn points.

View fullsize

FAILURE – Unfortunately, Sina Kheirkhah (@SinSinology) and Enrique Castillo (@hyprdude) of Summoning Team (@SummoningTeam) could not get their exploit of the Ubiquiti AI Bullet working within the time allotted.
SUCCESS – Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from the DEVCORE Research Team combined a CRLF Injection, an Auth Bypass, and a SQL Injection to exploit the Synology BeeStation. They earn $20,000 and 4 Master of Pwn points.

SUCCESS – PHP Hooligans / Midnight Blue (@midnightbluelab) used an OOB Write and a memory corruption bug to go from the QNAP QHora-322 to the Lexmark printer, which they demonstrated by printing their own “cash”. Their successful SOHO Smashup earns them $25,000 and 10 Master of Pwn points.

SUCCESS – The Viettel Cyber Security (@vcslab) used a single type confusion bug to exploit the Lexmark CX331adwe printer. In the process, they earn $20,000 and 2 Master of Pwn points.

COLLISION – Our first collision of Day Three: the group from STEALIEN Inc. successfully popped the Lorex camera, but the bug they used had already been demonstrated in the contest. They still earn $3,750 and 1.5 Master of Pwn points.
COLLISION – namnp and tunglth of Viettel Cyber Security (@vcslab) ran into another collision. Their stack-based buffer overflow took over the Canon printer, but it had been previously used in the competition. They still earn $5,000 and 1 Master of Pwn point.

SUCCESS – Newcomers Team Smoking Barrels used an unprotected primary channel bug to exploit the Synology BeeStation for code execution. They earn $10,000 and 4 Master of Pwn points.

FAILURE – Unfortunately, the Viettel Cyber Security (@vcslab) could not get their exploit of the Ubiquiti AI Bullet working within the time allotted.
SUCCESS – In the penultimate attempt of Day 2, Daan Keuper (@daankeuper), Thijs Alkemade (@xnyhps), and Khaled Nassar (@notkmhn) from Computest Sector 7 (@sector7_nl) combined 4 bugs, including a command injection and a path traversal to going from the QNAP QHora-322 to the TrueNAS Mini X. They earn $25,000 and 10 Master of Pwn points.

FAILURE – ExLuck (@ExLuck99) of ANHTUD was unable to complete his SOHO S=mashup in the time allotted. HE was able to get into the Synology router but couldn’t successfully pivot to the Canon printer.