Score another for the hacker community.
At the Pwn2Own contest at this week’s CanSecWest Applied Security conference in Vancouver, hackers have had their way with the Apple iPhone, Mac and Safari, as well as Mozilla Firefox and Microsoft Internet Explorer. The iPhone fell courtesy of Vincenzo Iozzo of Zynamics and independent security researcher Ralf-Philipp Weinmann, who developed an attack that bypassed the code signing and data execution prevention features that prevent arbitrary code from running. To this, they “chained existing code bits” (TXT file) in a technique known as return-into-libc or return-oriented-programming, according to Zynamics.
“A bug in Safari was exploited that extracted the SMS database from the phone and uploaded it to a server,” Zynamics CEO Halvar Flake explained in a blog post.
The Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protections in Windows 7 were circumvented by contestants as part of their efforts to exploit Firefox and Internet Explorer (IE) 8. The IE attack was the work of Dutch hacker Peter Vreugdenhil, who published a paper (PDF file) on his methods. The paper omits certain details of the attack.
A researcher from U.K.-based MWR InfoSecurity going by the hacker-name “Nils” circumvented the ASLR and DEP features on Windows 7 and exploited a flaw in Firefox. In an interview here, he explained that part of the issue was Mozilla’s “implementation of the protection mechanisms themselves,” and that getting around Microsoft’s protections was the hardest part of the attack.
Well-known Mac security researcher Charlie Miller of Independent Security Evaluators once again took down the Mac OS X operating system, this time using a drive-by download attack on Safari 4 to get control of the computer.
According to contest rules, the details of the vulnerabilities must be disclosed to the affected vendors.