Pwn2Own Toronto 2023 – Day Four Results

The contest has wrapped, and we awarded $1,038,500 during the event for 58 unique 0-days. These bugs have been disclosed to the vendors, who now have 90 days to produce a patch. Congratulations to Team Viettel for winning Master of Pwn with $180,000 and 30 points. Our thanks goes out to the contestants and vendors for participating, and special thanks to Google and Synology for co-sponsoring the contest.

Welcome to the final day of Pwn2Own Toronto 2023! We’ll be updating this blog in real time as results become available. All times are Eastern (GMT -4:00).

FAILURE – Foundry Zero was unable to get their exploit of the Lexmark CX331adwe working within the time allotted.

BUG COLLISION – ANHTUD was able to execute a 2-bug chain of stack-based buffer overflows against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup. However, one of the bugs he used was previously known. He still earns $31,250 and 6.25 Master of Pwn points.

BUG COLLISION – Interrupt Labs was able to execute a 2-bug chain including a UAF and integer underflow against the Sonos Era 100. However, one of the bugs they used was previously known. They still earn $18,750 and 3.75 Master of Pwn points.

SUCCESS – Team Viettel was able to execute a heap-based buffer overflow and a stack-based buffer overflow against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup. They earn $50,000 and 10 Master of Pwn points.