QNAP, Synology, Lexmark devices hacked on Pwn2Own Day 3

The third day of Pwn2Own Ireland 2024 continued to showcase the expertise of white hat hackers as they exposed 11 zero-day vulnerabilities, adding $124,750 to the total prize pool, which now stands at $874,875.

Pwn2Own, a global hacking competition, challenges top security researchers to exploit a range of software and hardware devices, with the ultimate goal of earning the prestigious “Master of Pwn” title and claiming up to $1 million in rewards.

On Day 1, participants uncovered 52 zero-day vulnerabilities, and on Day 2, another 51 zero-days were added.

Yesterday, the competition saw impressive performances from teams representing Viettel Cyber Security, DEVCORE, and PHP Hooligans/Midnight Blue, among others.

The day kicked off with success for Ha The Long and Ha Anh Hoang from Viettel Cyber Security, who exploited the QNAP TS-464 NAS using a single command injection vulnerability. This successful attack earned them $10,000 and 4 Master of Pwn points.

Pumpkin Chang and Orange Tsai from the DEVCORE Research Team combined three exploits—a CRLF injection, an authentication bypass, and a SQL injection—to take control of the Synology BeeStation. Their complex exploit rewarded them with $20,000 and 4 points.

PHP Hooligans / Midnight Blue used an out-of-bounds write and a memory corruption bug to perform a “SOHO Smashup.” They managed to go from the QNAP QHora-322 router to a Lexmark printer, ultimately printing their own “banknotes,” earning the team $25,000 and 10 Master of Pwn points.

Later in the day, Viettel Cyber Security delivered another success, exploiting the Lexmark CX331adwe printer using a type confusion vulnerability, adding $20,000 and 2 more points to their tally.

Collisions and failed attempts

However, not all exploit attempts went smoothly, and the third day had its share of collisions, where multiple teams used the same vulnerabilities to compromise devices.

STEALIEN Inc. successfully compromised a Lorex camera, but the bug they leveraged had already been used, reducing their payout to $3,750 and awarding only 1.5 points.

Viettel Cyber Security also encountered a collision when they exploited a Canon printer using a stack-based buffer overflow, which had been previously demonstrated. This earned them $5,000 and 1 point.

Viettel Cyber Security and ANHTUD faced challenges when time ran out before they could complete their exploits, both while attempting to breach the Ubiquiti AI Bullet within the allotted time.

With just 15 attempts remaining in the schedule for Day 4, participants have nearly exhausted the prize pool, but there are still over $125,000 in awards up for grabs.

As the contest enters its final phase, Viettel Cyber Security is comfortably leading in the standings, having over twice the amount of points contenders DEVCORE, Neodyme, Summoning Team, and Ret2 Systems have gathered thus far.

At the end of Day 3, the event revealed 114 zero-day vulnerabilities, showcasing the critical role of such competitions in strengthening the security of consumer devices.