June 13, 2024 By Sue Poremba 4 min read

The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.

This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest’s 17-year history, with Esage achieving a partial win in 2021.

At the March 2024 competition, Palmiotti (aka Chompie) scored a win with her discovery of an Improper Update of Reference Count bug to escalate privileges on Windows 11. It was her first time entering Pwn2Own.

Pwn2Own is considered one of the most — if not the most — prestigious hacking competitions in the world. Sponsored by the Zero Day Initiative, participants try to exploit popular software and devices with previously unknown vulnerabilities. Security Intelligence spoke with Palmiotti, an exploit researcher on IBM’s X-Force Red team, about her path to becoming an ethical hacker.

SI: Tell us about your background: What spurred your interest in hacking and exploit research?

VP: I got into cybersecurity kind of by accident. This is my second career. I worked in macroeconomic research before and didn’t have a good experience. I was in a rough spot in my life overall. So, I examined my life plan and tried to think of what would be a better fit for me. I’d always been into technology and computers. The idea of being a hacker or doing something like that was appealing to me in a romantic sense, even though I didn’t know anything about it. 

After doing some research, I discovered there was a boot camp to train in cybersecurity offered by the city I lived in at the time. I applied to that, got in, and have been working in the industry ever since. Currently, I’m with IBM’s X-Force Red, and I’ve been working here about a year and a half. 

SI: Why did you want to participate in Pwn2Own?

VP:  It’s seen as a hacker’s rite of passage. Demonstrating you can find and exploit bugs on real devices to show off your skills. It was a goal of mine to compete, and I finally had an opportunity to do so with the job I’m in now. 

SI: You’re the first woman to have a full win at Pwn2Own, and that’s a big deal. How many women compete in this event?

VP: The competition isn’t very diverse in that regard.

SI: Why do you think women aren’t interested in ethical hacking?

VP: I think they are interested. There are multiple factors at play. First, there isn’t a clearly defined learning or career path for offensive security. Some people get into it via game hacking, or just tinkering around with other technology. If you don’t game or have other related technical interests like Capture the Flag, it’s hard to find out this job even exists. In my case, I would have never discovered my passion and talent for hacking if I didn’t have a mentor showing me the basics. Second, the job requires a certain level of arrogance since you are spending weeks or months testing the limits of a target. In order to maintain tenacity, a researcher has to remain confident that their instincts are correct. By the same token, that type of personality may not be as welcoming of outsiders. Entering into that type of environment is intimidating, especially when the culture has had a less than favorable reputation. Overall, the industry should work on being more welcoming and provide more opportunities for everyone to learn without being challenged if they belong. 

SI: Tell me about the competition and what goes into it.

VP:  Zero Day Initiative publishes a list of targets a few months before the competition. To win or be successful in a category, you have to discover a zero day vulnerability and write an exploit for that target. Once you are at the event, you have to demonstrate the exploit on their equipment. Exploits aren’t always deterministic, so there is a chance the exploit fails. You get 3 chances to demonstrate, each with a 10 minute time limit. The competition’s devices are all fully updated with the latest security patches applied.

You then demonstrate the exploit to show that you are able to hack the target. If you are successful, you are taken to a back room where you explain the vulnerability you found and how you exploited it and answer any questions they may have. The people at the Zero Day Initiative will check the vulnerability and exploit against their database of reported bugs. If yours hasn’t been reported, the next step is to talk to the vendor of the product you targeted. In my case, the vulnerability is in Windows, and I had to talk to Microsoft. They check their databases, and if they can’t find any reports of the vulnerability you found, you officially win.

SI: The competition was in March. Has the exploit been patched yet? 

VP: It has not been. The vendors have 90 days from the reporting to apply a patch, so it should be sometime next month (in June).

SI: Since it hasn’t been patched yet, is there anything you can tell us about the vulnerability?

VP: I can’t go into specifics, but I can say that it is a bug in a Windows kernel component. The type of bug was made public. It is an improper reference count update. I plan to release a blog post about the ordeal once it’s been patched.

SI: Have you found Zero Days before?

VP: Yes, it’s part of my job as a vulnerability researcher. 

SI: As an ethical hacker and somebody who sees unique vulnerabilities all the time, what worries you?

VP:  As somebody in offense, what concerns me is the persistent cat-and-mouse game that researchers have to play to stay on top of the latest mitigations. It’s not just about finding zero days, but also about building exploits. Your job isn’t done once you find a bug. It actually took weeks of building this exploit to bypass various security mitigations. I worry about being able keep up as it becomes more and more difficult. On the defensive side, I’m thinking about how to detect these exploits in the wild. As an attacker, I have a deep understanding of the evidence exploits leave behind. It’s fun to speculate how detection technology has advanced as zero days discovered in the wild trend upwards.

SI: What’s the next step for you?

VP: I’m fortunate to be in a position where I get to do research full-time, and I’ll continue to do my research. There’s tentative plans to find some interns for next year and possibly do some mentoring. A lot of people are interested in getting into offensive security, but they don’t know where to start. There’s not a defined learning path that exists right now, so I think people would benefit from mentorship.

Explore X-Force Red Offensive Security Services

More from Adversary Services

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Extending and automating NightHawk with DayBird

13 min read - NightHawk, MDSec’s commercial C2 product, has focused on operational security and detection avoidance since its initial release in December 2021. While the core functionality of the framework has been effective within the scope of these objectives, our team noticed certain features were missing as we started incorporating NightHawk into our engagements alongside our other C2 options. Most notably, there was no equivalent in NightHawk to Cobalt Strike’s Aggressor scripting platform, severely limiting automation capabilities. While I know how big of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today