Multiple WebKit vulnerabilities bring down RIM's BlackBerry and a flaw in MobileSafari dooms the Apple iPhone in the second day of the Pwn2Own hacking contest. Google and Firefox are safe.
Research In Motion's BlackBerry was brought low by WebKit-the same
open-source technology behind Safari's defeat-and the Apple iPhone was
compromised by a flaw in MobileSafari on the second day of the hacking contest.
A trio of researchers under the name Team Anon successfully exploited
multiple WebKit vulnerabilities in a drive-by-download attack to compromise the
BlackBerry Torch 9800 to win the Pwn2Own
challenge on March 10. Security researchers took turns trying to compromise the
Mozilla Firefox browser and two smartphones, the Apple iPhone and the RIM's
BlackBerry, during the second day of the Pwn2Own hacking contest at CanSecWest
in Vancouver, British Columbia.
Charlie Miller, a security researcher from Independent Security Evaluators
who co-wrote the "Mac Hacker's Handbook," partnered with colleague
Dion Blazakis to compromise the iPhone with a MobileSafari flaw. Miller had
compromised the iPhone during past Pwn2Own contests.
One contestant had signed up for Mozilla Firefox 3.6, but the browser
survived. Two contestants had been scheduled to compromise Google
Chrome on day one
, but one was a no-show and Team Anon decided to focus its
energies on the BlackBerry contest and no one else has signed up to try.
"I *love* pwn2own! Safari and IE8 were cracked on the first day, but
not Chrome," Matt Cutts, the head of the Web spam team at Google, posted
However, Chrome surviving so far doesn't mean it can't be hacked, just that
none of the participating Pwn2Own researchers is aware of an exploitable
BlackBerry contestants are required to compromise a BlackBerry Torch 9800
running BlackBerry OS 188.8.131.52. Team Anon, a three-man team consisting of
Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann, chained an
information disclosure bug to a separate integer overflow flaw in WebKit. The
team proved it could compromise the smartphone by writing a file to the device
and stealing both the contact list and image database.
Since there is no public documentation of the BlackBerry operating system,
the team ran several trial-and-error techniques to create the exploit,
according to ZDNet's
. RIM recently added a WebKit browser to the BlackBerry, but
the phone still doesn't have address space layout randomization (ASLR), data
execution prevention (DEP) or code signing, common security technologies on
other mobile platforms. While it was "way behind the iPhone" from a
security perspective, the BlackBerry benefited from its "obscurity,"
Iozzo told Naraine.
"It makes it a bit harder to attack a system if you don't have
documentation and information," Iozzo said.
Miller pointed the target iPhone's MobileSafari browser to a rigged Website.
On the first attempt at the drive-by-exploit, the browser crashed. Once
relaunched, Miller was able to hijack the address book. Miller also used return
oriented programming (ROP) techniques to
bypass DEP, according to Naraine
The target iPhone had iOS 4.2.1, not iOS 4.3, which Apple released on March
9, the first day of the contest. The actual MobileSafari flaw remains unfixed
in iOS 4.3 but the new addition of ASLR would block the winning exploit.
However, it just means the exploit needs to be tweaked to deal with this layer
of security, and the phone remains vulnerable until MobileSafari is patched,
RIM recently shipped a firmware update for the BlackBerry, but Pinckaers
told Naraine that the WebKit flaw remains unpatched in the latest version.
Members of the RIM security team were at the event and said they would be
working with TippingPoint ZDI to ensure the vulnerabilities are fixed in new
versions. Miller said Apple had already been notified about the MobileSafari
TippingPoint didn't have a schedule finalized for the third day at the time
of writing. The Dell Venue Pro running Windows 7 and a Samsung Nexus S running
Android are still left among the mobile platforms. And anyone is still allowed
to sign up for Chrome and Firefox.
CanSecWest offered more presentations along with the Pwn2Own contest. There
was a presentation on how the Nintendo DS could be used to hijack the home
network and spread malware, as well as another session on Adobe Flash
ActionScript vulnerabilities and exploits. Another popular panel addressed installing
rootkits on firewalls and unified threat management appliances from Juniper,
SonicWall and others. What appears to have caught people's attention, however,
was a presentation on how to hack the popular Angry Birds game.
"Just saw some guys inject malicious code into #angrybirds .. is
nothing sacred?" Johnathan
, a hacker from Houston, posted