• 2008 – Mac owned on 2nd day of Pwn2Own hack contest
• 2009 – Charlie Miller Does It Again At PWN2OWN
• 2010 – Mozilla Beats Apple & Microsoft to Pwn2Own Patch For Firefox

It took Microsoft till June last year to fix the Pwn2Own bug – Microsoft Patches At Least 34 Bugs Including Pwn2Own Vulnerability.

This time both Internet Explorer and Safari fell on the first day!

Contestants in a high-stakes hacking contest had no trouble toppling the Apple Safari and Microsoft Internet Explorer browsers, proving for a fifth year in a row that no software or application is safe from people with the expertise and motivation to exploit them.

The attacks came on Day One of the Pwn2Own contest, which pays more than $15,000 apiece for exploits that successfully give the attacker full remote access of the targeted machine. Wednesday’s event saw hackers take complete control of a fully patched Sony Vaio and MacBook Air by compromising IE and Safari respectively. Google’s Chrome browser was also up for grabs, but no one stepped forward to try hacking it.

“Every browser, every operating system, has its own vulnerabilities,” said Chaouki Bekrar, CEO of Vupen Security and the contestant who successfully hacked Safari. “This is what we wanted to demonstrate – that we can create a very reliable exploit for Apple Mac OS and Safari without even crashing the browser.”

Contest rules forbid him from disclosing most technical details behind the vulnerability, but he was permitted to say that it involved what’s known as a use-after-free flaw in the Apple browser. He said the exploit used a technique known as return-oriented programming to bypass a security protection known as data execution prevention that is built into many Apple programs.

There have been a barrage of patches recently too with Microsoft patching some very serious bugs in the March 2011 Black Tuesday, Apple patches critical Mac bugs with Java updates, Apple patching 62 bugs in Safari and Jon Oberheide killing his own Android bug by reporting it to Google.

Also sadly one of the Pwn2Own champions Geohot wasn’t present most likely to to the shit storm Sony is throwing at him.

It’ll be interesting to what else comes out of Pwn2Own this year.

After building the tools from scratch, it took him about two weeks to find the bug and set out to exploit it. The result was an attack that reliably commandeers a Mac when Safari visits a website that hosts the malicious code.

“Just after visiting the webpage with the affected version of Safari, we can, for example, launch the calculator or open a shell or do anything else we want,” he said a minute or two after demonstrating the exploit at the contest, which was attended by members of Apple’s security team. “We have the same privileges as the user who visited the webpage.”

He said users would have no way of knowing their machines have been compromised. There is no prompt asking for a password. The only way to thwart the attack is to run Safari from an account that has been configured to have limited privileges.

Under competition rules, contestants drew a lottery to determine who was the first to attempt hacking a particular browser. Once a browser was compromised, it was eliminated from the running. Both IE and Safari were hacked on the first try.

“I have an exploit all ready to go, and now it’s just sitting in my bag,” said Charlie Miller, a three-time Pwn2Own winner, shortly after Bekrar took this year’s prize. “You’d think Apple would be concerned about it.”

Miller said he’s had the working attack for more than nine months now. Even after Apple patched a whopping 62 Safari security bugs just hours before the contest started, Miller’s exploit still worked, he said.

Charlie Miller has a working exploit sitting in his back too after Bekrar already took the prize. It seems like it’s really quite worth developing a reliable, working 0-day exploit for $15,000!

The new sandbox in IE got pwned pretty easily too, which shows..slapping on some tonka toy security controls isn’t ever going to stop a dedicated attacker. There was one contestant who stepped up to the plate to take down Google’s Chrome, but perhaps the exploit didn’t work as there’s no reports on that.

Day two of Pwn2Own will see attacks on Smart-phone platforms – Windows 7 Mobile, an iPhone 4, a BlackBerry Torch 9800, and a Nexus S running Google’s Android. There are multiple contestants signed up for each platform!

Source: The Register

Another clever attack that got some coverage lately was tabnapping and the latest is another fascinating way to lift information from browsers using the auto-complete feature.

It’s good to see these kind of attacks, when you think about technically how they operate – they are fairly simple. But in saying that it takes a leap in logic to even get to the point where you can start coding for something like this.

The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.

In a talk scheduled for next week’s Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.

Among the most serious is a vulnerability in Apple’s Safari and earlier versions of Microsoft’s IE that exposes names, email addresses, and other sensitive information when a user visits a booby-trapped website. The attack exploits the browsers’ autocomplete feature used to automatically enter commonly typed text into websites. It works by creating a webpage with fields carrying titles such as “First Name,” “Last Name,” “Email Address,” and “Credit Card Number” and then adding javascript that simulates the user entering various letters, numbers or keystrokes into each one.

It seems all 4 of the main browsers are susceptible to this, although the implementation varies slightly for each browser. Hacking wise that’s not a big problem as you can just do a user agent string identification when the user lands on the malicious page and serve them up with the relevant info grabbing script for their browser type.

The worst case scenario is if this flaw allows malicious pages to gather user passwords that are stored in the browser, combined with the ability to probe the browser to see which sites they have visited..it could multiply into a quite accurate and potentially dangerous attack.

The worst effected is the Safari and older versions of Internet Explorer.

Users who in the past have used the autocomplete features to store that information in versions 6 and 7 of IE or versions 4 and 5 of Safari will find that the information will be automatically zapped to the rogue website. No interaction is necessary other than to visit the page. Webmasters can set the input fields to be invisible to better conceal the attack.

In the case of Safari, Grossman’s proof-of-concept attack simulates a user entering various letters or numbers into the fields. In a demonstration, when the script entered the letter J under a field titled “Name,” the browser automatically exposed “Jeremiah Grossman” to the web server. Grossman said he alerted Apple to the vulnerability on June 17, but received no reply other than an automatic response saying his message had been received.

“I would never have talked about this publicly if Apple had taken this seriously,” he told The Register. “I figured somebody else must have found this before because it’s so brain-dead simple.” When he sent a follow up query “I never heard anything back, human or robotic.”

Tricking IE 6 and 7 into coughing up the autocomplete details works in a similar fashion, but instead of simulating the entering of numbers or letters into a field, Grossman enters a user’s down arrow twice and then the enter key to extract the stored information. If more than one record is stored in that field, the script will repeat the process so they can be lifted as well.

Apart from the above flaws he seems to have uncovered a whole lot of bugs in all the major browsers including ways to steal passwords from Firefox and Chrome by using bugs + XSS attacks.

Another neat trick is the ability to erase all cookies on a users computer, not really dangerous but certainly annoying. The trick is to spawn more cookies than the browser can handle (about 3000 for Firefox) so the browser will delete all older cookies. The PoC for this takes about 2.5 seconds!

It’ll be interesting to see the whole talk at BlackHat.

Source: The Register

Seems like Pwn2Own is getting a reputation for uncovering some pretty nasty browser based vulnerabilities, once again this year Firefox, Safari and IE8 were all broken wide open. The latest development is Mozilla has beaten both Microsoft and Apple to the punch and released Firefox 3.6.3 patching the vulnerability.

Again it was a critical vulnerability and the creator netted himself $10,000 from the contest for the exploit. Pretty fast patching from Firefox though with an 8 day turnaround, and the vulnerability is only on Firefox 3.6.x not 3.5.x in its current state.

Mozilla late yesterday patched a critical Firefox vulnerability used by a German researcher to win $10,000 for hacking the open-source browser at last week’s Pwn2Own contest.

In a repeat of 2009, Mozilla was the first browser maker to patch a bug exploited at Pwn2Own. In fact, the company improved on its performance by fixing the newest flaw only eight days after Nils, a researcher who works for U.K.-based MWR InfoSecurity, hacked Firefox. Last year, Mozilla took 10 days to come up with its Pwn2Own fix. Nils also successfully exploited Firefox at 2009′s contest.

This time, Nils used a memory corruption flaw to hack the browser, Mozilla said in the security advisory that accompanied the update to Firefox 3.6.3. It rated the bug as “critical,” the highest threat ranking in its four-step scoring system.

Nils exploited Firefox 3.6.2 — Mozilla had patched the browser just two days before the contest kicked off — on 64-bit Windows 7 , also bypassing the operating system’s DEP (data execution prevention) and ASLR (address space layout randomization) defenses. For his work, Nils was awarded $10,000 by 3Com TippingPoint, Pwn2Own’s sponsor.

Gotta give him some props though, exploiting the latest version of Firefox and bypassing both DEP and ASLR. Nice work Nils! It just goes to shows, if the motivation is there (which it is for many blackhats) then an entry vector can be found.

Especially with the rapid pace of software development in the web era, there’s no way everything can be kept secure with all the additional features and functions that are constantly being added.

Other researchers hacked Apple’s Safari and Microsoft’s Internet Explorer 8 (IE8) to also win $10,000 each.

According to Mozilla, Nils’ exploit only works against Firefox 3.6, the newest edition, but the company said it planned to also patch Firefox 3.5 “just in case there is an alternate way of triggering the bug.” Mozilla did not specify a timeline for the Firefox 3.5 update. Firefox 3.5 was just patched last Monday to bring it to version 3.5.9.

Mozilla restricted access to additional information on the vulnerability by locking down Bugzilla, its change- and bug-tracking database, allowing only authorized users to view information on the flaw. That move is typical of Mozilla when it has patched some, but not all, of its browsers.

Neither Apple or Microsoft has announced plans to patch their Pwn2Own vulnerabilities. Microsoft has acknowledged receiving details of the IE8 vulnerabilities that Dutch researcher Peter Vreugdenhil used to hack the browser, but earlier this week said a patch was not ready.

Microsoft as usual have stated it is still ‘under investigation’ having just patched 10 vulnerabilities in IE8 last week, they now have another to add to the list. I’m not holding my breath for an out-of-band patch however.

Mozilla also made the move to lock the public out of the vulnerability details on Bugzilla to prevent it from getting into the wild.

No news from Apple yet on the Safari bug, wonder when they’ll come out with a fix for it? Or acknowledge it even? Or perhaps they’ve already fixed it and pushed out the patch..who knows?

Source: Network World

As the German IT portal heise online conveys, a new security hole in the Safari webbrowser for Apple’s Mac OS X has been discovered. This security hole is rather severe, as it invokes the execution of shell scripts under certain circumstances.

Once again the Safari option “open safe” files automatically after download bears the blame. If this facility runs across a shell script that is missing the so-called Shebang-row, the system won’t ask the user whether to execute the file automatically anymore – it’ll just execute it anyways. Unfortunately you can simply rename a shellscript without a Shebang-row to known-good filetype extensions like JPG or PNG and put that renamed script into a ZIP file – zipping as well an administrative file that’ll connect that file with the shell. A target Mac then “knows” automatically how to open that file if it receives that ZIP – it’ll take it as totally normal to execute the “jpg file” with the shell.

To circumvent this issue immediately, you can exercise two countermeasures – the first one is to disable that unsafe option in Safari, the second one is to move the terminal to another place, as the connection between shellscript and terminal has a hardcoded file path to the terminal. Additionally, you should never ever work with administrator privileges – as one should be used to with windoze, this rule of thumb has the same virtues on a Mac as well

Source: 4null4.de

A rare exploit for Mac eh, it is possible to exploit, it’s not just a theory, you can find a proof of concept here:

http://www.mathematik.uni-ulm.de/numerik/staff/lehn/macosx.html

With a Babelfish Translation.