Slashdot Log In
First Pwn2Own 2009 Contest Winners Emerge
Posted by
timothy
on Thu Mar 19, 2009 04:23 PM
from the good-work-if-you-can-get-it dept.
from the good-work-if-you-can-get-it dept.
mellowdonkey writes "Last year's CanSecWest hacking contest winner, Charlie Miller, does it again this year in the 2009 Pwn2Own contest. Charlie was the first to compromise Safari this year to win a brand spankin new Macbook. Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well. Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program."
Related Stories
[+]
Apple: MacBook Air First To Be Compromised In Hacking Contest 493 comments
Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.
[+]
Next Pwn2Own Contest Targets IE8, Firefox, iPhone 64 comments
Windows Secrets writes "After two straight years of taking dead aim at Macbooks and Windows-powered machines, hackers at this year's CanSecWest conference will have shiny new targets: Web browsers and mobile phones. According to CanSecWest organisers, there will be two separate Pwn2Own competitions this year — one pitting hackers against IE8, Firefox 3 and Safari and another targeting Google Android, Apple iPhone, Nokia Symbian and Windows Mobile."
Submission: First Pwn2Own 2009 Contest Winners Emerge by Anonymous Coward
[+]
Mobile: All Five Smartphones Survive Pwn2Own Contest 144 comments
CWmike writes "Although three of the four browsers that were targets in the PWN2OWN hacking contest quickly fell to a pair of researchers, none of the smartphones were successfully exploited. TippingPoint had offered $10,000 for each exploit on any of the phones, which included the iPhone and the BlackBerry, as well as phones running the Windows Mobile, Symbian and Android operating systems. 'With the mobile devices so limited on memory and processing power, a lot of [researchers'] main exploit techniques are not able to work,' said TippingPoint's Terri Forslof. 'Take, for example, [Charlie] Miller's Safari exploit,' referring to Miller's 10-second hack of a MacBook via an unpatched Safari vulnerability that he'd known about for more than a year. 'People wondered why wouldn't it work on the iPhone, why didn't he go for the $10,000?' she said. 'The vulnerability is absolutely there, but it's a lot tougher to exploit on the iPhone.'"
Chrome was the only browser at the contest that was not successfully exploited. We previously discussed day one of the contest, and a summary of day two is available as well.
[+]
Pwn2Own 2009 Winner Charlie Miller Interviewed 160 comments
crazipper writes "Tom's Hardware interviewed Charlie Miller, winner of this year's Pwn2Own contest and formerly with the NSA. He discusses the effort it took before the contest to be able to take down a MacBook within seconds, sandboxing, and the effectiveness of the NX bit and ASLR. His outlook on end-users protecting themselves against attacks? 'Users are at the mercy of the products they buy.'"
[+]
Mozilla First To Patch Pwn2Own Browser Vulnerability 141 comments
Constantine the Less writes "Mozilla has released Firefox 3.0.8 to fix a pair of code execution holes that put users of the browser at risk of drive-by download attacks. It includes a fix for one of the flaws exploited during this year's CanSecWest Pwn2Own hacker contest. The update also fixes a separate zero-day flaw disclosed earlier this week on a public exploit site. Both issues are rated 'critical,' Mozilla's highest severity rating."
[+]
Online Banking Customers Migrating To Lynx 220 comments
Jibbler writes "Following the recent Pwn2Own competition, in which Firefox, IE8 and Safari all fell quickly to exploits, Netcraft has observed a surge in popularity of the text-based Lynx browser. Netcraft points out that Lynx supports the latest cryptographic ciphers, and at least one online banking site has seen Lynx usage overtake that of Internet Explorer and Firefox. To boost Lynx's excellent security history, Netcraft has even developed a version of its anti-phishing toolbar for Lynx."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Let me be the first to say (Score:4, Insightful)
Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well.
Wow.
Let me be the second to say (Score:3, Funny)
Nils, the other winner, was able to use three separate zero day exploits to whack IE8, Firefox, and Safari as well.
Wow.
Wow.
Re: (Score:3, Insightful)
Re:Let me be the first to say (Score:5, Informative)
Parent
Re: (Score:2, Interesting)
He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.
I tried to find some sort of source for this, but instead found this:
Windows 7 PC Outlasts Mac In Security Test [infopackets.com], at PWN2OWN.
Re:Let me be the first to say (Score:4, Informative)
Mac easiest to hack, says $10,000 winner [computerworld.com]
Parent
Re:Let me be the first to say (Score:5, Funny)
Actually, if I'm remembering correctly, Charlie Miller DID say that he knew of more ways to crack into a mac. He also said that Mac was just as insecure as Windows and that Windows gets attacked mainly because of the number of people using it.
BURN HIM ! BURN THE HERETIC !
Parent
Re: (Score:2, Insightful)
No not burn, just leave him and all the other to their windoze spyware nightmare :)
Re:Let me be the first to say (Score:5, Informative)
Since no one has placed what 'owned' means, here's the rules from the canwest site:
2009-03-18-01:00:00 PWN2OWN Final Rules
Well after much discussion and deliberation here is the final cut at scenarios for the PWN2OWN competitions.
Browsers and Associated Test PAltform
Vaio - Windows 7
* IE8
* Firefox
* Chrome
Macintosh
* Safari
* Firefox
Day 1: Default install no additional plugins. User goes to link. .net, quicktime. User goes to link. ... User goes to link
Day 2: flash, java,
Day 3: popular apps such as acrobat reader
What is owned? - code execution within context of application
=====
I'm presuming that code execution is the first step towards owning the whole box, which may or may not be trivial once you got code execution happening within the app.
Parent
Re: (Score:2)
The nice thing about this, is that for Firefox, and probably also Safari, the bugs are already fixed.
So all in all, this was a good thing for us all.
The third exploit was a good thing for botnet owners only. ;)
Hmmm.... (Score:3, Insightful)
Well, I'm not surprised it didn't take but a few moments for the contest to be won.
Man can make it, man can break it. That's it.
Re:Hmmm.... (Score:5, Funny)
But Safari was created by the Gods at Apple....
Parent
Re:Hmmm.... (Score:5, Funny)
Firefox Three for the Elven-kings under the sky,
IE Seven for the Dwarf-lords in their halls of stone,
Netscape Nine for Mortal Men doomed to die,
One Safari for the Dark Lord on his dark throne
In the Land of Apple where the Shadows lie.
One Browser to rule them all, One Browser to find them,
One Browser to bring them all and in the darkness bind them
In the Land of Apple where the Shadows lie.
Parent
Re: (Score:2)
Re: (Score:3, Interesting)
Yeah, but from what I read, the attack was via a PERL regex library used by the javascript engine. So it was in something Apple just used and not something they wrote from scratch. <sarcasm> I'm sure had Apple written the whole thing from scratch, there'd be no bugs...</sarcasm>
Re: (Score:2)
Yeah, but from what I read, the attack was via a PERL regex library used by the javascript engine. So it was in something Apple just used and not something they wrote from scratch. <sarcasm> I'm sure had Apple written the whole thing from scratch, there'd be no bugs...</sarcasm>
While we're conjecturing wildly (well, you didn't cite) Apple has a history of failing to keep their Open Source components current, especially perl modules (there was a discussion here recently about manually-updated perl modules being whacked by an Apple 'update'.)
Re:Hmmm.... (Score:4, Informative)
Parent
Re: (Score:3, Funny)
heh, my memory had conflated pcre and perl. That'll teach me to look shit up.
Re: (Score:2)
Re: (Score:2)
No kidding. Basically it was a draw from the summary's hat for who won the computers, from what I can gather. At least, that's the impression I'm getting...
It's also very unclear what constitutes "pwned". Even reading the rules, "code execution in the context of the application" or something... Does that mean these exploits are actually usable to do something malicious, or do they just, say, crash the browser?
Re: (Score:2)
Re: (Score:3, Insightful)
Yes.
The code executed by the contestant may not be malicious, it is only meant to showcase the exploit being used. If I were a contestant, I would not run malicious code on the laptop I was hoping to take home with me! Maybe download a Kubuntu .iso and Wubi.exe, and execute Wubi.....
Used in the wild, the exploit would almost certainly be used to execute malicious code, I'd think.
Re: (Score:3, Insightful)
It's also very unclear what constitutes "pwned". Even reading the rules, "code execution in the context of the application" or something... Does that mean these exploits are actually usable to do something malicious, or do they just, say, crash the browser?
Seems pretty cut and dry to me, it means they were able to inject their own code into the processes memory and get it too execute. So no privilege escalation but you can now do whatever said application would theoretically been able to do.
Re: (Score:3, Insightful)
thats why its time for andriod style security on the desktop , firefox should ONLY be able to write to a downloads folder & its profile, OO should ONLY be able to read/write to disk, NO network access,.
Re: (Score:2)
Re: (Score:2)
I think most slashdotters can understand the implications of what happens when an application running as root get compromised. Those that don't probably work at Microsoft :-).
ScoreAfter Day 1 (for the TL;DR crowd) (Score:5, Informative)
Browsers
Chrome: 0
IE8: 1
Firefox: 1(1)*
Safari: 2(1)*
Mobile Browsers
Blackberry: 0
Android: 0
iPhone: 0
Nokia/Symbian: 0
Windows Mobile: 0
*Numbers in parenthesis indicate Successful exploits that fell outside the contest criteria and therefore could not be rewarded.
Re: (Score:3, Interesting)
No details? (Score:3, Insightful)
I checked the article and there don't appear to be any details. A few of these hacking contests have been a bit overblown so I'd like to know what manner of exploit they used.
If it's another "well you need physical access to the machine and know the admin username and password" then it's no big deal. If it's "we had the user click a link and all hell broke loose" that would be much more interesting.
Re:No details? (Score:5, Interesting)
That is exactly what happened with Safari on MacOS, in seconds. I guess the others fell just as easily, but with a bit more crude exploits.
We don't get to know the details because vendors get to fix the hole before anything is published, which is long after all of us have forgotten about the contest.
What really is misleading is that Windows 7 and MacOS are implied pwned when it appears that only the browsers were taken.
With IE8 purportedly running in a "sandbox", breaking out of that was interesting by itself and hopefully a bit more difficult than just escalating privileges in MacOS.
I miss Linux too. A hole in firefox means being just one local exploit away from pwning your box.
Parent
Didn't write the exploits in seconds did they?! (Score:3, Interesting)
The speed factor seems pointless in this exercise - if they didn't write the exploits there and then at the conference, it effectively boils down to who can stick his thumbdrive in the slot and double-click the fastest!
Why did it take longer to kill IE8/Firefox if the exploits were already written and just needed to be run by clicking a URL?
Make the fsckers write their own exploits, and make them do it at the show. THAT would be worth 10k.
What details...? (Score:4, Interesting)
Full detail and pictures are available from the sponsor, TippingPoint, who acquired all of the exploits through their Zero Day Initiative program.
I see no details here.
Like they don't care? (Score:3, Interesting)
Who the hell cares about Windows, Macs, Linux?
Put these folks on voting machines - it's way more important to protect the sanctity of democracy than to point out exploitable browsers.
I get the economics of it, but this is what insurance is for. Software companies care about security, but at some point this becomes more about mental masturbation - cracking will always occur. Why not create some incentive to put the desire to crack on important systems rather than worry about jo-shmoes machine getting compromised.
Re:WTF ? (Score:4, Insightful)
Parent
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
I'd like to see a browser stabilized so that more work can be done on the security. I always wonder, how can they may a secure browser if they are constantly adding features to it?
What else do we need for a browser to do?
I'm serious, what else do we really need a browser to do? Can we stop for awhile and work on making one more secure?
Re:WTF ? (Score:4, Insightful)
there are just some things that we need to accept aren't safe yet. As much as I like active web pages like this one, the problems with CGI and javascript persist even today, despite a decade+ of review and testing. I find online banking and drivers license registeration very convient, but at the same time, I firmly believe that there is no way to be safe when performing fiscal transactions online. don't get me wrong, I use these services, but I wish the chaotic computing environment would slow down a bit so we can catch up with the securiy problems of last year, before facing next years.
Parent
Or, ... (Score:4, Insightful)
Once or twice meant something, but now it's an institution.
Meaning that somebody is going to try to make a career of breaking the easiest part of the system at this contest.
Meaning that these guys are going to sit on their exploits.
Meaning that this contest, running at a set time once a year, is now meaningless.
Except for advertising potential. You know, keeping your product name in the headlines.
The respective companies should offer a running bounty on exploits on their browsers. Yeah, that would spoil all the pageantry of Pwn20wn, but do we really need another pageant?
Parent
Re:Or, ... (Score:4, Insightful)
They change the rules and targets each year. Nobody will sit on an exploit all year because there's no way to know what to hang on to, or whether the hole will still be there in a month, let alone a year. It's used to promote the Zero Day Initiative [zerodayinitiative.com] which pays you directly for exploits, no fancy contest needed. The contest serves its purpose perfectly. It's never been a meaningful way to stop exploits anyway, just a promotional vehicle for the conference and the respective companies. Nobody's going to make a career out of this competition. If they were good enough to do that, they could make a comfortable living from the ZDI.
Parent
Re:Or, ... (Score:4, Insightful)
Nobody will sit on an exploit all year because there's no way to know what to hang on to, or whether the hole will still be there in a month, let alone a year.
That's exactly what happened [zdnet.com] this year:
I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.
Parent
Re:Or, ... (Score:5, Insightful)
That's exactly what happened [zdnet.com] this year:
I actually found this bug before last year's Pwn2Own but, at the time, it was harder to exploit. I came to CanSecWest last year with two bugs but only one exploit. Last year, you could only win once so I saved the second bug. Turns out, it was still there this year so I wrote another exploit and used it this year.
So in a way what this event did is help keep a known vulnerability open for a year more than it should have been. Which means that there is a fair chance that in the mean time some body else might have found and used it in the wild.
Brilliant.
Parent
Re:Or, ... (Score:4, Informative)
> The respective companies should offer a running bounty on exploits on their browsers.
You mean like http://www.mozilla.org/security/bug-bounty.html [mozilla.org] ?
The problem is that browser exploits sell for about $10,000 at the moment (that's how much various "security" companies will pay for them). The bug bounty above is $500...
Parent
Re: (Score:2)
Alas, the bad guys will always want to pay more for the exploit as its more valuable to them. Get this: $10,000 is nothing, they can make millions in profit!
I have your answer. (Score:2)
Straight from the horse's mouth:
"Why Safari? Why didnâ(TM)t you go after IE or Safari?
Itâ(TM)s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs donâ(TM)t do. Hacking into Macs is so much easier. You donâ(TM)t have to jump through hoops and deal with all the anti-exploit mitigations youâ(TM)d find in Windows.
Itâ(TM)s more about the operating system than the (target) program. Firefox on Mac is p
Re: (Score:3, Informative)
they are getting better with this, but they still have a long way to go.
Re: (Score:2)
Don't you read slashdot? [slashdot.org] There's a known hack to take control of the CPU and circumvent the entire OS.
Your computer is only yours by the whims of others.
Re: (Score:2)
That only works in ring 0, that is, if you are already root. Thus, it can only make a bad exploit even worse, it won't help you get out of a sandbox.
Re: (Score:3, Insightful)
firefox is firefox, it runs on linux, it can be exploited on linux. NOSCRIPT FTW
Re: (Score:2, Insightful)
If all OSes would implement all of OpenBSD security features, even if not perfectly, the amount of exploitable bugs would decrease considerably. The bug is still there, but the black hat is met with a harsh environment totally unlike the green garden that are major OSes.
Re:Sensored? (Score:5, Funny)
Is it just me, or does it look like they censored Nils' zipper when he was showing off his winnings?
I have no idea - but why were you were looking down there in the first place?
Parent