Pwnd! Safari on MacOS X and Internet Explorer 8 on Windows 7 fell on the first day of the Pwn2Own hacking contest at CanSecWest.
Despite
the last-minute update from Apple, Safari was the first to be cracked by
security researchers on the first day of the Pwn2Own hacking contest.
A
team of security researchers from the French penetration test company VUPEN
successfully exploited a zero-day flaw in Apple's Safari browser to win the
Pwn2Own challenge on March 9. Security researchers took turns trying to
compromise the most up-to-date versions of Microsoft Internet Explorer, Apple's
Safari, Mozilla Firefox and Google Chrome on the first day of the hacking
contest at CanSecWest in Vancouver, British
Columbia.
VUPEN
cracked Safari in "5 seconds," claimed several messages on Twitter
from attendees.
In
contrast, the two contestants who signed up to hack
Google
Chrome were no-shows. Chrome survived day one, and Google gets to hang onto
its
$20,000
prize.
VUPEN
co-founder Chaouki Bekrar used a specially rigged Website that compromised a
64-bit version of a fully patched Mac OS X running on a MacBook. The three-man
team spent about two weeks to find the vulnerability in WebKit, the open-source
browser rendering engine Safari is based on, and to write the exploit, Bekrar
told
ZDNet's
Ryan Naraine, who was at the contest.
The
winning exploit bypassed ASLR (Address Space Layout Randomization) and DEP
(Data Execution Prevention), two key anti-exploit mitigations built into Mac OS
X. The team had to launch the calculator application and write to a file on the
computer to prove the exploit had successfully gained full user access on the
hijacked machine.
"The
victim visits a Web page, he gets owned. No other interaction is needed,"
Bekrar told Naraine.
For
the Internet Explorer portion of the contest, the prize went to Irish security
researcher Stephen Fewer, according to
Naraine.
He successfully hacked into a 64-bit Windows 7 machine running Internet
Explorer 8 using three different vulnerabilities and custom exploits. Fewer
used two different zero-day bugs in IE that he'd found previously to get
reliable code execution, and then exploited a third vulnerability that allowed
him to jump out of the IE Protected Mode sandbox to get to the operating
system.
Like
VUPEN, Fewer's attack also successfully bypassed DEP and ASLR in Windows 7.
VUPEN
was the first contestant to crack Safari. There were three other researchers,
including previous three-time winner Charlie Miller, but under the contest's
winner-takes-all rules, the competition was over as soon as VUPEN succeeded.
VUPEN had also signed up to test Internet Explorer, but was slated to go second
after Fewer, the first contestant for Internet Explorer.
One
contestant is scheduled for March 10, the second day of the contest, to attempt
Mozilla Firefox, before the mobile platform portion of the contest begins,
according to a spokesperson from TippingPoint ZDI, the contest's sponsor.
Contestants will begin with the Apple iPhone, followed by RIM BlackBerry,
Samsung Nexus S running Android and Dell Venue Pro running Windows 7.
Apple
released a last-minute update that patched a number of vulnerabilities in
Safari and iOS, but it appears that the target iPhones will not be running iOS
4.3, said
Security
Generation on Twitter. It is not clear at this time whether VUPEN
compromised the new Apple Safari 5.0.4, which Apple had released hours before
the contest.
Google
and Mozilla had patched their browsers the week before the
contest, but
Microsoft
had not.
Fewer
won a $15,000 cash prize and a new Sony Vaio laptop running Windows 7 for being
the first of the three researchers to hack the Windows browser. VUPEN claimed
the other $15,000 cash prize and a 13-inch Apple MacBook Air running Mac OS X
Snow Leopard for cracking Safari.
Technical
details of the exploits legally belong to TippingPoint under contest rules.
TippingPoint will provide information to Microsoft and Apple and give them six
months to fix the flaws before publicizing them.
CanSecWest
is not just about hacking. There were also several panels, such as the one by a
pair of security researchers from Germany
who demonstrated several techniques that enabled them to remotely reboot, shut down
and completely disable many popular mobile phones with SMS messages.
Email
Print
