Mac owned on 2nd day of Pwn2Own hack contest

I have been following this contest and was wondering which OS would be first to fall (if any) seen as though they were all fully patched and the latest versions. For those that don’t know Pwn2Own is a contest at CanSecWest open to anyone to hack a Windows, Linux or Mac OSX box with a varying set of conditions.

Not one person entered the first day, perhaps they don’t want to divulge those heavy exploits…or perhaps no one had any. The second day had a lot more entrants. It’ll be interesting to see what the 3rd day turns up when everything is open to attack.

A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off.

Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. The feat won him a $10,000 prize paid by Tipping Point, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities.

Interesting the exploit came in Safari, but gave full control. Still $10,000 is not bad for a days work (I’d imagine though he’s probably prepared the exploit earlier).

I was somehow expecting Mac to fall first.

At time of writing, the Windows and Linux machines were still standing.

Under contest rules, Miller was forbidden from providing specifics of his hack. He said he chose Apple over the other machines because “I thought of the three it was the easiest”. He said he didn’t test the exploit on any other platform. As a Mac user, he added, he felt an incentive to exploit the system because he believes it will help make the platform stronger.

Miller’s win came on day two of the contest, which gradually eases the rules for what constitutes as qualifying exploit. Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine’s operating system, drivers or network stack. Winners were eligible for a $20,000 prize.

On day two, the attack surface was expanded to include browsers, mail applications and other common applications, and the bounty was reduced to $10,000. Contestants on day three will be allowed to attack still more applications, such as Skype, QuickTime and browser plugins for a $5,000 prize.

I wonder if any of our readers are attending CanSecWest, any of you guys there? Having a go at the contest?

I think more things should be organized like this, at the end of it – it really does make all the OSes more secure. Saying that though just because no-one exploited it, doesn’t mean the vulnerability isn’t there and the bad boys aren’t already using it.

It’s been shown before, the underground is always ahead…and a vulnerability with exploit for a fully patched Windows machine is worth way more than $20,000!

Source: The Register

Posted in: Apple, Events/Cons, Exploits/Vulnerabilities

, , , , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

14 Responses to Mac owned on 2nd day of Pwn2Own hack contest

  1. Garrett Gee March 28, 2008 at 6:21 am #

    My day 1 recap is at and you can follow the twitter talk at

  2. Pantagruel March 28, 2008 at 8:46 am #

    Nicely done; $10,000 for 2 minutes (like Darknet says he must have prepared the exploit in advance) isn’t bad.

    Sadly I am not attending CanSecWest, I’ll be in Oxford UK this weekend for my research job. Perhaps next time or at another security meeting.

  3. zupakomputer March 28, 2008 at 10:33 am #

    re: day 1 rules – do they actually let you at the machines themselves, or do you have to access them through a secured or filtered network connection (like a router firewall). If the former then that’s too easy, there’s loads of ways in if you have access to the machine directly – unless they aren’t including anything at hardware level?

  4. Doey6 March 28, 2008 at 1:26 pm #

    i THINK on day one that they require you to do it over the network. No physical access. But I can’t verify that right now.

  5. Pantagruel March 31, 2008 at 11:20 am #

    @Doey 6

    small snippet from

    Once you extract your claim ticket file from a laptop (note that doing so will involve executing code on the box, simple directory traversal style bugs are inadequate), you get to keep it. You also get to participate in 3com / Tipping Point’s Zero Day Initiative, with the top award for remote, pre-auth, vulnerabilities being increased this year. Fine print and details on the cash prizes are available from Tipping Point’s DVLabs blog.

    Quick Overview:

    * Limit one laptop per contestant.
    * You can’t use the same vulnerability to claim more than one box, if it is a cross-platform issue.
    * Thirty minute attack slots given to contestants at each box.
    * Attack slots will be scheduled at the contest start by the methods selected by the judges.
    * Attacks are done via crossover cable. (attacker controls default route)
    * RF attacks are done offsite by special arrangement…
    * No physical access to the machines.
    * Major web browsers (IE, Safari, Konqueror, Firefox), widely used and deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium, Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook,, Thunderbird, kmail) are all in scope.

    Tipping Point’s DVLabs blog:

  6. zupakomputer March 31, 2008 at 5:08 pm #

    Still unclear on the rules after reading that – would the OSs be set up with a passworded user account (ie – so you have to get by that for any desktop access) ?

    Also, why are the comments on the final day page out of order? It’s descending for part of the comments, then it’s ascending?!

  7. Chris Tangora March 31, 2008 at 7:57 pm #

    Don’t forget the other rule. No exploits or vulnerabilites that have already been documented may be used to gain access. This was about true 0Day attacks, not the security as a whole.

  8. Mike Touch April 7, 2008 at 5:28 pm #

    The reason people say MAC is safer is because hackers code for windows due to the market share windows has. With more machines operating windows hackers have a greater reach so their viruses are much more effective!

  9. Pantagruel April 8, 2008 at 2:18 pm #

    @Mike Touch

    The effectiveness of a virus isn’t dependent on the user base but of the speed with which the hole it uses is plugged or anti viral software is updated making it possible to remove the infection.
    However the amount of infected machine does matter when you need a lot of clients for a dDoS attack. The chance of getting a nice herd of bots will be bigger if you target a well spread OS which suffers security flaws like Windows.
    The is no security in obscurity and the vulnerability of Apple’s OS will increase with increasing market penetration (allowing for a bigger basket of Apple’s ;) ) getting more attention from hackers/crackers and alikes.

  10. zupakomputer April 8, 2008 at 5:14 pm #

    Mike, would I really get a free Macbook Air at your link?

  11. Mike Touch April 8, 2008 at 5:44 pm #

    Pantragruel, that’s what I was getting at but you explained it a lot better. Thing is that isn’t what most MAC users realise. They like to walk around on their high horse saying how much more secure it is when really they’re just a susceptible :)

    zupakomputer, of course you will get one as long as you follow the rules. I’ve received over

  12. fever April 8, 2008 at 6:37 pm #

    $10,000 for two minutes of work, now that is my kind of a pay scale.
    you would only have to work like 10 minutes a year at that rate. just spend the rest of your time vacationing.

  13. Mike Touch April 8, 2008 at 9:29 pm #

    By a few minutes I mean I had to make a website, market a website and keep it up to date. I’m not going to say it’s easy as I’d be lying!

  14. zupakomputer April 9, 2008 at 6:18 pm #

    How does that work exactly? You set up a site that’s only for people to visit to get a free macbook, so they can also set up a site that is only for people to visit to get a free macbook….how can anyone make money from anyone just visiting sites; do they suppose that x amount of them will visit the adverts, then also buy something they find at the advert sites?