[ad]
I have been following this contest and was wondering which OS would be first to fall (if any) seen as though they were all fully patched and the latest versions. For those that don’t know Pwn2Own is a contest at CanSecWest open to anyone to hack a Windows, Linux or Mac OSX box with a varying set of conditions.
Not one person entered the first day, perhaps they don’t want to divulge those heavy exploits…or perhaps no one had any. The second day had a lot more entrants. It’ll be interesting to see what the 3rd day turns up when everything is open to attack.
A brand-new MacBook Air running a fully patched version of Leopard was the first to fall in a contest that pitted the security of machines running OS X, Vista and Linux. The exploit took less than two minutes to pull off.
Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing. The feat won him a $10,000 prize paid by Tipping Point, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities.
Interesting the exploit came in Safari, but gave full control. Still $10,000 is not bad for a days work (I’d imagine though he’s probably prepared the exploit earlier).
I was somehow expecting Mac to fall first.
At time of writing, the Windows and Linux machines were still standing.
Under contest rules, Miller was forbidden from providing specifics of his hack. He said he chose Apple over the other machines because “I thought of the three it was the easiest”. He said he didn’t test the exploit on any other platform. As a Mac user, he added, he felt an incentive to exploit the system because he believes it will help make the platform stronger.
Miller’s win came on day two of the contest, which gradually eases the rules for what constitutes as qualifying exploit. Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine’s operating system, drivers or network stack. Winners were eligible for a $20,000 prize.
On day two, the attack surface was expanded to include browsers, mail applications and other common applications, and the bounty was reduced to $10,000. Contestants on day three will be allowed to attack still more applications, such as Skype, QuickTime and browser plugins for a $5,000 prize.
I wonder if any of our readers are attending CanSecWest, any of you guys there? Having a go at the contest?
I think more things should be organized like this, at the end of it – it really does make all the OSes more secure. Saying that though just because no-one exploited it, doesn’t mean the vulnerability isn’t there and the bad boys aren’t already using it.
It’s been shown before, the underground is always ahead…and a vulnerability with exploit for a fully patched Windows machine is worth way more than $20,000!
Source: The Register
Garrett Gee says
My day 1 recap is at http://infosecevents.net/2008/03/26/cansecwest-day-1-recap/ and you can follow the twitter talk at http://www.hashtags.org/tag/cansecwest/
Pantagruel says
Nicely done; $10,000 for 2 minutes (like Darknet says he must have prepared the exploit in advance) isn’t bad.
Sadly I am not attending CanSecWest, I’ll be in Oxford UK this weekend for my research job. Perhaps next time or at another security meeting.
zupakomputer says
re: day 1 rules – do they actually let you at the machines themselves, or do you have to access them through a secured or filtered network connection (like a router firewall). If the former then that’s too easy, there’s loads of ways in if you have access to the machine directly – unless they aren’t including anything at hardware level?
Doey6 says
i THINK on day one that they require you to do it over the network. No physical access. But I can’t verify that right now.
Pantagruel says
@Doey 6
small snippet from csnsecwest.com
Once you extract your claim ticket file from a laptop (note that doing so will involve executing code on the box, simple directory traversal style bugs are inadequate), you get to keep it. You also get to participate in 3com / Tipping Point’s Zero Day Initiative, with the top award for remote, pre-auth, vulnerabilities being increased this year. Fine print and details on the cash prizes are available from Tipping Point’s DVLabs blog.
Quick Overview:
* Limit one laptop per contestant.
* You can’t use the same vulnerability to claim more than one box, if it is a cross-platform issue.
* Thirty minute attack slots given to contestants at each box.
* Attack slots will be scheduled at the contest start by the methods selected by the judges.
* Attacks are done via crossover cable. (attacker controls default route)
* RF attacks are done offsite by special arrangement…
* No physical access to the machines.
* Major web browsers (IE, Safari, Konqueror, Firefox), widely used and deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium, Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird, kmail) are all in scope.
Tipping Point’s DVLabs blog:
dvlabs.tippingpoint.com/blog/2008/03/19/cansecwest-pwn-to-own-2008
zupakomputer says
Still unclear on the rules after reading that – would the OSs be set up with a passworded user account (ie – so you have to get by that for any desktop access) ?
Also, why are the comments on the final day page out of order? It’s descending for part of the comments, then it’s ascending?!
Chris Tangora says
Don’t forget the other rule. No exploits or vulnerabilites that have already been documented may be used to gain access. This was about true 0Day attacks, not the security as a whole.
Mike Touch says
The reason people say MAC is safer is because hackers code for windows due to the market share windows has. With more machines operating windows hackers have a greater reach so their viruses are much more effective!
Pantagruel says
@Mike Touch
The effectiveness of a virus isn’t dependent on the user base but of the speed with which the hole it uses is plugged or anti viral software is updated making it possible to remove the infection.
However the amount of infected machine does matter when you need a lot of clients for a dDoS attack. The chance of getting a nice herd of bots will be bigger if you target a well spread OS which suffers security flaws like Windows.
The is no security in obscurity and the vulnerability of Apple’s OS will increase with increasing market penetration (allowing for a bigger basket of Apple’s ;) ) getting more attention from hackers/crackers and alikes.
zupakomputer says
Mike, would I really get a free Macbook Air at your link?
Mike Touch says
Pantragruel, that’s what I was getting at but you explained it a lot better. Thing is that isn’t what most MAC users realise. They like to walk around on their high horse saying how much more secure it is when really they’re just a susceptible :)
zupakomputer, of course you will get one as long as you follow the rules. I’ve received over
fever says
$10,000 for two minutes of work, now that is my kind of a pay scale.
you would only have to work like 10 minutes a year at that rate. just spend the rest of your time vacationing.
Mike Touch says
By a few minutes I mean I had to make a website, market a website and keep it up to date. I’m not going to say it’s easy as I’d be lying!
zupakomputer says
How does that work exactly? You set up a site that’s only for people to visit to get a free macbook, so they can also set up a site that is only for people to visit to get a free macbook….how can anyone make money from anyone just visiting sites; do they suppose that x amount of them will visit the adverts, then also buy something they find at the advert sites?