Announcement

Collapse
No announcement yet.

Pwn2Own results

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pwn2Own results



    Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking contest

    Contestant overcomes bout of 'hacktile dysfunction'


    CanSecWest

    A laptop running a fully patched version of Microsoft's Vista operating system was the second and final machine to fall in a hacking contest that pitted the security of Windows, OS X and Ubuntu Linux. With both a Windows and Mac machine felled, only the Linux box remained standing following the three-day competition.

    Shane Macaulay, who played a hand bringing down a Mac during last year's Pwn2Own contest, defeated the Vista machine using a previously unknown vulnerability in Adobe Flash. On final day of the CanSecWest conference in Vancouver, Macaulay spent the better part of four hours trying to get the exploit to work. (The delay prompted one spectator to playfully dub the difficulty "hacktile dysfunction.")

    A MacBook Pro running a fully patched version of Leopard was the first to drop out during day two of the race, when researchers from Independent Security Evaluators demonstrated a previously unknown vulnerability in Apple's Safari browser. With brand new boxes running both Ubuntu and Vista remaining, Macaulay spent day three switching back and forth between the two machines, trying to get his Flash exploit to execute properly. He was assisted by Alex Sotirov, a security researcher at VMware.

    Initially thwarting Macaulay's efforts was the recently released Service Pack 1 for Vista, which he had neglected to install when testing the Flash exploit in the days leading up to the contest. Per the contest rules, each target machine had to be fully patched, and when the researcher first ran the code during the competition, new page protections added by Microsoft's security team prevented the exploit from properly executing.

    "They had done some stuff in Vista to prohibit this form of attack from being successful on third party software," Macaulay said minutes after he finally commandeered the Fujitsu U810 laptop. "We had to do some porting to get around that issue."

    Macaulay and Sotirov fashioned some javascript to circumvent the new measure, a feat that effectively allows them "to render that protection ineffective," Macaulay said.

    It also allows them to pocket a $5,000 bounty from Tipping Point's Zero Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he would probably sell the machine, which he and Sotirov autographed with a black Sharpie pen, on eBay.

    Under contest rules, qualifying exploits on day one had to target default installations of the operating system itself and winners were allowed to walk away with the hacked box and a $20,000 bounty. Contest organizers gradually expanded the eligible attack surface on days two and three by allowing an vulnerabilities in an increasing number of third party applications. The bounty dropped to $10,000 on day 2 and $5,000 on day three. No one bothered competing on day one.

    Plenty of commentators have made hay of the MacBook Pro being the first to exit the race, and Linux zealots are sure to conclude the contest results prove the superiority of that platform. Maybe. But that's not how it looks to Macaulay, who says with a few hours of tweaking, his exploit will also work on OS X and Linux.

    The better take-away is that exploits like these are a fact of life for everyone no matter what kind of machine they choose (are you listening, Mac Guy?). Another lesson: just as quickly as Microsoft or any other developer adds new measures like page protection to their code base, hackers, ethical and otherwise, are find ways to work around them.

    "Nobody can do anything about it, because you're always going to be installing something" that will bypass security, Macaulay, who wore torn blue jeans and a Puma jogging jacket, said with a shrug. "If it's not Java, it'll be something else."
    Dr. Mordrid
    ----------------------------
    An elephant is a mouse built to government specifications.

    I carry a gun because I can't throw a rock 1,250 fps

  • #2
    Interesting...
    IMO, they should try the same test, but without additional software installed (just the default installed stuff). Granted, a 3rd party software should never undermine the security of the OS (is in fact an OS flaw), but it would still be interesting to see how the different systems then hold up.


    Jörg
    pixar
    Dream as if you'll live forever. Live as if you'll die tomorrow. (James Dean)

    Comment


    • #3
      They did, VJ: and all passed that part of the test...except when it came to "stock software" on the Macbook, and they exploited a 0-day vulnerability in Safari (Big Surprize, turd that it is..).

      In the case of the Vista machine, it was exploited during the Phase III test by a 3rd. party piece of software: Adobe's Flash.

      In the case of the Linux distro (Ubuntu), they did not mention which desktop, the browser they were using and the Flash level installed: it makes a big difference.
      Hey, Donny! We got us a German who wants to die for his country... Oblige him. - Lt. Aldo Raine

      Comment


      • #4
        Ha, ok... didn't know that...


        Jörg
        pixar
        Dream as if you'll live forever. Live as if you'll die tomorrow. (James Dean)

        Comment


        • #5
          Originally posted by MultimediaMan View Post
          They did, VJ: and all passed that part of the test...except when it came to "stock software" on the Macbook, and they exploited a 0-day vulnerability in Safari (Big Surprize, turd that it is..)...
          I use Safari on a Mac and it is far from being a "turd". The Windows version, well that's another matter entirely. Of course that's neither here nor there...

          I'm most interested to see what vulnerability in Safari was exploited. If it was something within Webkit, then it's entirely possible the same vulnerability could be exploited within Konqueror or any other KHTML/Webkit based browser on Linux.

          Apparently the rules forbade using the same exploit on the different systems, so even if one could use the same exploit, it would only count for one platform.

          Regardless, the fact that - at the very least - the Flash exploit could be 'easily' made to work on OS X or Linux doesn't leave much room for gloating.
          “And, remember: there's no 'I' in 'irony'” ~ Merlin Mann

          Comment


          • #6
            Perhaps I should Clarify: Safari is not a turd to look at: it is fraught with vulnerabilities. Now that the OS is more mainstream I'd expect to see the platform get hacked to pieces in short order.

            I would hate to see how Apple would react to a "Level 5" exploit: they would spend more time deleting posts warning of the problem than working on a fix. That is simply not acceptable.

            Apple is not ready for the Enterprise: You heard it here first.
            Hey, Donny! We got us a German who wants to die for his country... Oblige him. - Lt. Aldo Raine

            Comment


            • #7
              You're hardly the first to say that.

              But yes, Safari has had more than its fair share of vulnerabilities, many resulting from Apple being slow to patch known ones in the open source Webkit/KHTML. Then there's Apple's tendency to do just as you say: delete unflattering threads from their forums.

              I'm not sure the state of things as of late, but back when I still dealt with such things, Microsoft was hardly ready for the enterprise. Of course, I wouldn't say Apple is prepared for the demands of that market either, potentially less so. There is also the fact that Apple has put a lot of effort into appearing to be better than Microsoft in several areas, including security. So they fully deserve to be called out on it.
              Last edited by Jessterw; 31 March 2008, 11:34.
              “And, remember: there's no 'I' in 'irony'” ~ Merlin Mann

              Comment


              • #8
                So the IE7 'sandbox' in Vista did nothing to protect against the flash exploit?

                Even when the exploit is limited by the OS to just modifying the files from the current user (what linux users often claim the OS does), I'm not going to run my internet browsing sessions under a different user name/login! That's just too much of a consession for usability.

                If this 'sandbox' in Vista does nothing, then I wonder if convergence of VM/OS will allow browsing sessions in a VM that's disconnected enough from the underlying OS to protect it from this stuff?

                Comment


                • #9
                  The Sandbox protects IE7, but not necessarily 3rd. Party applications: some plugins are still written to run in the user context rather than the context of IE7.
                  Hey, Donny! We got us a German who wants to die for his country... Oblige him. - Lt. Aldo Raine

                  Comment

                  Working...
                  X