Last Year's CanSecWest Winner Repeats on Vista, Ubuntu Wins

DimitryGH followed up on the earlier news that the MacBook Air lost CanSecWest by noting that "Last year's winner of the CanSecWest hacking contest has won the Vista laptop in this year's competition. According to the sponsor TippingPoint's blog, Shane Macaulay used a new 0day exploit against Adobe Flash in order to secure his win. At the end of the day, the only laptop (of OS X, Vista, and Ubuntu) that remained unharmed was the one running Ubuntu. How's that for fueling religious platform wars?"

Popcorn anyone?

How's that for fueling religious platform wars?

Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!

Re:Popcorn anyone?

"Should do quite nicely. Check back on this thread in a few hours - I'll bring the beers!"

What kind ?

And if you say a light North American lager I'm going to smite you in the name of the almighty beer lord!

Re:Popcorn anyone?

(What kind of beer?) And if you say a light North American lager [snip]

He said he'd bring the beers, not that he would make love in a canoe ;)

Re:Popcorn anyone?

What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)

Re:Popcorn anyone?

"What's the betting that the Linux and MacOS versions of Flash are also vulnerable to this 0day? It's rare for a Flash issue to affect only one platform (the same is true of the Acrobat reader and other typical cross-platform browser plug-ins.) Let's wait for the Adobe advisory before jumping to conclusions, shall we? (Disclaimer, I'm a Linux user.)"

It depends upon what you mean by "Flash issue." If you mean a bug in the rendering or stream processing, or GUI etc. then yes it is likely that the same bug would be found on all three platforms.

The question isn't "Is Flash vulnerable?", but rather does a vulnerability at the application layer allow you to hack into the OS. It is entirely besides the point if Flash is flawed in the same way, thought there is a reasonable likelihood that it is not in this case. There are significant differences in code compiled for the various platforms. We Software Engineers call that "conditional compilation."

Re:Popcorn anyone?

Actually, IE on Vista runs with fewer permissions then a normal User account by default. It runs as a low-integrity process. This means that it loses access to most of the user's files (it has access to things like the temp directory for storing cookies, cache, etc.). See MSDN [microsoft.com] for details.

Re:Popcorn anyone?

There's no religious war here. Ubuntu is clearly the best.

Re:Popcorn anyone?

No. You make the pop. That is your role, and you will accept it.

Software sucks.

A 0-day exploit in Flash. What does Flash do? It paints to the screen. It has no need to communicate with other applications or write anywhere on the system except perhaps in a single configuration file. Why is this software not bullet proof? The thing is only a couple hundred kbytes small, for heaven's sake!

Hey!

it was Adobes fault, not Microsoft! Let's all switch to Silverlight and we will be OK!!!!

Re:Hey!

I don't see why the test includes third party software.

Because nobody managed to crack it with it just sitting on the network all day, and only the Mac got cracked doing web browsing/email.

Something is Fishy

If the person on the Vista laptop was running IE 7 with the default configuration (protected mode [msdn.com] / UAC on), this should not have happened.

Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.

For a flash plugin to allow for a hacker to access personal files of the user it would not only have to have a buffer overflow (or some other exploit) in flash itself, but also take advantage of a privledge elevation exploit in Windows simultaneously.

I didn't see them specify in the article what browser than were using. Since they said it was an issue with flash, and not Windows, they couldn't have been using IE. My guess is that it was Firefox, since they said they loaded "popular" 3rd party apps.

Futhermore, the file in question must have been accessible to the user running Firefox (or whatever non-IE browser) since that would also require a privledge elevation in Windows.

So I'm not really sure how you can blame this on Vista or even Microsoft. If they had been using IE, it wouldn't have happened, regardless of the flaws in Flash. This says absolutely nothing about Vista security. The exact same thing would happen on every other OS. If you have an app with an exploit, and that app is running as User A, the hacker using that exploit has the same rights as User A.

I suppose one could argue that various defensive techniques like ASLR [msdn.com] should have stopped this, but without knowing the details, that's impossible to say. A buffer overflow can just as easily be used to call APIs exposed by the exploited application as it can to call OS APIs, and since ASLR only applies to Windows APIs (indeed, many of these techniques only apply at the OS level), this wouldn't be a fair characterization either.

Indeed, I find it strange that they didn't mention mitigating factors. I realize they're trying to be responsible as far as reporting, but telling people that users running IE on Vista aren't affected isn't exactly giving anything away... aside from the fact that Vista did its job as best it could.

Re:Something is Fishy

Flash, like all other plugins, run within the security context of the low-rights user used by protected mode. Even if the flash plugin had an obvious buffer overflow or other exploit, it would only be able to access the data accessible by that low rights user, NOT the user running IE. That's the point of protected mode.

You are right that plugins by default runs under the special low-rights "ieuser" account. Unless the plugin uses tricks to circumvent this security for some reason.

And that is exactly what flash does. It uses a special "broker process" which runs as a daemon/service. The restricted plugin then talks to this brokerprocess and thus breaks out of the sandbox.

The flash API indeed has methods for creating/deleting/reading files and even executing applications (Would you believe that?). Although Adobe/Macromedia have tried to ensure that flash actionscripts can only use these in a "safe" way; I believe it is probable that the exploit was somehove connected to a vuln in the broker process; quite possibly in some of these API functions. Using a broker process to break out of the sandbox can circumvent any security precautions taken by the browser.

Given that Flash vulns are often cross-platform I think it is quite likely that this also is a problem on Linux. Now, if the special file which the contestants had to retrieve required *admin rights* the yet another level of security had been broken (UAC). But at this time we can't really determine.

Re:Something is Fishy

That is not correct. Protected Mode's low rights user has virtually no access to the system.

Unless that file was specfically marked readable by the low rights user (which would be obvious cheating), or unless it was placed in a directory accessible by that user (temp directory, for instance), they could not have been using IE.

Re:Something is Fishy

No. The low rights user has access to a limited number of registry entries, isolated storage (temp directory a few others under the user's profile), but has absolutely no access to virtualy anything else... especially the user's documents.

A broker service is used when reading or writing to user files (such as when they save a file to their desktop, or upload a document to a web site). This isolates the potentially dangerous code into a very small (~10k lines) application that is far easier to audit. This application runs as the normal user, and essentially accepts requests from the low rights IE process when actions need to be performed on user files.

Re:Something is Fishy

Also, your conclusions about UAC are completely wrong. I refer you to several blog posts I've written on the subject. UAC is a solution to a problem that only exists on Windows.

See the following: background info [robertdowney.com], and most of this post [robertdowney.com] deals with UAC.

I don't know about a religious platform war ....

... but it certainly confirms my strong aversion to putting anything Adobe on my machines. Seriously, who hasn't noticed how invasive and hoggish Adobe's stuff is? I cringe when I click a link to a PDF in a website, causing Adobe reader to launch inside the browser. It brings any machine to its knees as it consumes every available resource while rendering a simple document. And Adobe Elements (that's their "lightweight" photo product) takes the better part of a minute to start up on my dual core, 2GB box (non-RAIDed SATA drive). I guess it shouldn't surprise me that they have security problems as well ... slow software is usually sloppy software, and sloppy software is usually insecure software.

Re:Newsworthy?

Hint: script kiddies don't tend to have 0day in the real world.

Re:Newsworthy?

I don't see how a script kiddy running 0day exploits on a box is in any way related to the total end point security, or security of the OS. Seems all he did was take inventory of the box -- realize flash was vulnerable and exploited it. Could've happened to any OS -- Ubuntu included -- that provides its end users with insecure software. Seems like trivial marketing fluff -- setup to spur stupid religious wars.

Hmm, I disagree.

First, this wasn't some script kiddie applying a known exploit. It was a new exploit that the winning team came up with. It isn't trivial to do.

Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.

Second, and perhaps more important, the existence of 3rd party software on different OSes isn't the same. For example, most Windows users use Adobe Acrobat to view PDFs, whereas many Linux users use FOSS PDF viewers (Evince, KPDF). It might be the case - and I am guessing that it is - that Acrobat has far more exploits against it, both because it has far more code (what with all the functionality 99% of users don't need), and that it isn't open source. In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux.

Furthermore, even if two OSes run the same app - Flash, say - that doesn't mean they are equally vulnerable. Flash isn't identical between the platforms; if I am not mistaken on Linux Flash uses Alsa for sound (or some other Linux sound system). So if Alsa is more secure than Windows' sound system, that would be one difference.

I'm not saying this competition is a great test of OS security. It isn't; it's an anecdote. But it isn't worthless either. In fact the results are pretty much what I would have expected from the beginning: OS X is a great OS but security has never been a top priority (there wasn't as much of a need for it, so why bother). Windows has focused on security recently but is hobbled by having lots of closed-source 3rd party apps. Linux was always security-focused (starting as a server OS), and has the advantage of most of its software being FOSS and arriving from a repo under the control of the distro (in this case Ubuntu).

Re:Newsworthy?

In general Windows users tend to have lots of 3rd party apps that are closed source and of dubious quality. That isn't the case on Linux.

Yeah, they're open source and of dubious quality.

Re:Newsworthy?

Second, no, this "could have happened to any OS" is wrong. A well-crafted browser (in this case, the browser is part of the OS) can in theory prevent browser plugins from accessing anything of importance. However I don't think any existing browsers do that - but they should.

Irony alert: IE7 is the only browser on the block that does this. I imagine that the vulnerability was accessed through the open-source alternative: Firefox.

And no, it's not because IE7 is part of the operating system. It's because IE7 uses Microsoft's secure API to achieve sandbox mode. Firefox really needs to start taking advantage of this API. Otherwise their "most secure way to surf" bullshit is going to be called into question real soon.

Re:Let me get this straight

For some time now OS of personal computers does not reside in ROM and can be changed to a different one with ease. The miracles of technology!

Re:Let me get this straight

If you can exploit a laptop in this contest you get to keep it? Why would you want a laptop that you know is insecure?

Euuuuh.... to install Linux on it?

Re:It is becoming more clear every day

Are you comparing GNU/Linux to Kia? Kia?!? KIA?!? If I see you on the road I'll be slamming into you with my Ubuntu Yugo, so watch out!

Re:Know this: no one uses linux on desktop, no sof

Know this: no one uses linux on desktop,

The really fun thing about absolute statements is that one counter-example disproves them. I use Linux on desktop. See? You're wrong. :-)

Of course, so does my wife (who majored in fashion merchandising), and my 88 year old father, and the exchange student who stayed in my house last year, and roughly half of the thousand people at PyCon two weeks ago (just from snooping screens during the plenaries), and about 4% of the desktop users world-wide. True, that's small compared to Windows' 85% share and a bit below Mac's 8%, but it's certainly not "nobody".

And note that the market share leader Windows survived the Mac by a day (though, my friend the Mac-fan said that only proves the Mac was so much more desirable than the other two laptops - touché! :-)

Well, anyway, sorry to have fed the troll.