Well it’s March again and well we love March because it’s Pwn2Own time! Every year around this time we get some goodies to discuss way back since:
- 2008 – Mac owned on 2nd day of Pwn2Own hack contest
- 2009 – Charlie Miller Does It Again At PWN2OWN
- 2010 – Mozilla Beats Apple & Microsoft to Pwn2Own Patch For Firefox
It took Microsoft till June last year to fix the Pwn2Own bug – Microsoft Patches At Least 34 Bugs Including Pwn2Own Vulnerability.
Contestants in a high-stakes hacking contest had no trouble toppling the Apple Safari and Microsoft Internet Explorer browsers, proving for a fifth year in a row that no software or application is safe from people with the expertise and motivation to exploit them.
The attacks came on Day One of the Pwn2Own contest, which pays more than $15,000 apiece for exploits that successfully give the attacker full remote access of the targeted machine. Wednesday’s event saw hackers take complete control of a fully patched Sony Vaio and MacBook Air by compromising IE and Safari respectively. Google’s Chrome browser was also up for grabs, but no one stepped forward to try hacking it.
“Every browser, every operating system, has its own vulnerabilities,” said Chaouki Bekrar, CEO of Vupen Security and the contestant who successfully hacked Safari. “This is what we wanted to demonstrate – that we can create a very reliable exploit for Apple Mac OS and Safari without even crashing the browser.”
Contest rules forbid him from disclosing most technical details behind the vulnerability, but he was permitted to say that it involved what’s known as a use-after-free flaw in the Apple browser. He said the exploit used a technique known as return-oriented programming to bypass a security protection known as data execution prevention that is built into many Apple programs.
There have been a barrage of patches recently too with Microsoft patching some very serious bugs in the March 2011 Black Tuesday, Apple patches critical Mac bugs with Java updates, Apple patching 62 bugs in Safari and Jon Oberheide killing his own Android bug by reporting it to Google.
It’ll be interesting to what else comes out of Pwn2Own this year.
After building the tools from scratch, it took him about two weeks to find the bug and set out to exploit it. The result was an attack that reliably commandeers a Mac when Safari visits a website that hosts the malicious code.
“Just after visiting the webpage with the affected version of Safari, we can, for example, launch the calculator or open a shell or do anything else we want,” he said a minute or two after demonstrating the exploit at the contest, which was attended by members of Apple’s security team. “We have the same privileges as the user who visited the webpage.”
He said users would have no way of knowing their machines have been compromised. There is no prompt asking for a password. The only way to thwart the attack is to run Safari from an account that has been configured to have limited privileges.
Under competition rules, contestants drew a lottery to determine who was the first to attempt hacking a particular browser. Once a browser was compromised, it was eliminated from the running. Both IE and Safari were hacked on the first try.
“I have an exploit all ready to go, and now it’s just sitting in my bag,” said Charlie Miller, a three-time Pwn2Own winner, shortly after Bekrar took this year’s prize. “You’d think Apple would be concerned about it.”
Miller said he’s had the working attack for more than nine months now. Even after Apple patched a whopping 62 Safari security bugs just hours before the contest started, Miller’s exploit still worked, he said.
Charlie Miller has a working exploit sitting in his back too after Bekrar already took the prize. It seems like it’s really quite worth developing a reliable, working 0-day exploit for $15,000!
The new sandbox in IE got pwned pretty easily too, which shows..slapping on some tonka toy security controls isn’t ever going to stop a dedicated attacker. There was one contestant who stepped up to the plate to take down Google’s Chrome, but perhaps the exploit didn’t work as there’s no reports on that.
Day two of Pwn2Own will see attacks on Smart-phone platforms – Windows 7 Mobile, an iPhone 4, a BlackBerry Torch 9800, and a Nexus S running Google’s Android. There are multiple contestants signed up for each platform!
Source: The Register