Research In Motion’s BlackBerry was brought low by WebKit-the same open-source technology behind Safari’s defeat-and the Apple iPhone was compromised by a flaw in MobileSafari on the second day of the hacking contest.
A trio of researchers under the name Team Anon successfully exploited multiple WebKit vulnerabilities in a drive-by-download attack to compromise the BlackBerry Torch 9800 to win the Pwn2Own challenge on March 10. Security researchers took turns trying to compromise the Mozilla Firefox browser and two smartphones, the Apple iPhone and the RIM’s BlackBerry, during the second day of the Pwn2Own hacking contest at CanSecWest in Vancouver, British Columbia.
Charlie Miller, a security researcher from Independent Security Evaluators who co-wrote the “Mac Hacker’s Handbook,” partnered with colleague Dion Blazakis to compromise the iPhone with a MobileSafari flaw. Miller had compromised the iPhone during past Pwn2Own contests.
One contestant had signed up for Mozilla Firefox 3.6, but the browser survived. Two contestants had been scheduled to compromise Google Chrome on day one, but one was a no-show and Team Anon decided to focus its energies on the BlackBerry contest and no one else has signed up to try.
“I *love* pwn2own! Safari and IE8 were cracked on the first day, but not Chrome,” Matt Cutts, the head of the Web spam team at Google, posted on Twitter.
However, Chrome surviving so far doesn’t mean it can’t be hacked, just that none of the participating Pwn2Own researchers is aware of an exploitable security hole.
BlackBerry contestants are required to compromise a BlackBerry Torch 9800 running BlackBerry OS 188.8.131.52. Team Anon, a three-man team consisting of Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann, chained an information disclosure bug to a separate integer overflow flaw in WebKit. The team proved it could compromise the smartphone by writing a file to the device and stealing both the contact list and image database.
Since there is no public documentation of the BlackBerry operating system, the team ran several trial-and-error techniques to create the exploit, according to ZDNet’s Ryan Naraine. RIM recently added a WebKit browser to the BlackBerry, but the phone still doesn’t have address space layout randomization (ASLR), data execution prevention (DEP) or code signing, common security technologies on other mobile platforms. While it was “way behind the iPhone” from a security perspective, the BlackBerry benefited from its “obscurity,” Iozzo told Naraine.
“It makes it a bit harder to attack a system if you don’t have documentation and information,” Iozzo said.
Miller pointed the target iPhone’s MobileSafari browser to a rigged Website. On the first attempt at the drive-by-exploit, the browser crashed. Once relaunched, Miller was able to hijack the address book. Miller also used return oriented programming (ROP) techniques to bypass DEP, according to Naraine.
The target iPhone had iOS 4.2.1, not iOS 4.3, which Apple released on March 9, the first day of the contest. The actual MobileSafari flaw remains unfixed in iOS 4.3 but the new addition of ASLR would block the winning exploit. However, it just means the exploit needs to be tweaked to deal with this layer of security, and the phone remains vulnerable until MobileSafari is patched, Miller said.
RIM recently shipped a firmware update for the BlackBerry, but Pinckaers told Naraine that the WebKit flaw remains unpatched in the latest version. Members of the RIM security team were at the event and said they would be working with TippingPoint ZDI to ensure the vulnerabilities are fixed in new versions. Miller said Apple had already been notified about the MobileSafari flaw.
TippingPoint didn’t have a schedule finalized for the third day at the time of writing. The Dell Venue Pro running Windows 7 and a Samsung Nexus S running Android are still left among the mobile platforms. And anyone is still allowed to sign up for Chrome and Firefox.
CanSecWest offered more presentations along with the Pwn2Own contest. There was a presentation on how the Nintendo DS could be used to hijack the home network and spread malware, as well as another session on Adobe Flash ActionScript vulnerabilities and exploits. Another popular panel addressed installing rootkits on firewalls and unified threat management appliances from Juniper, SonicWall and others. What appears to have caught people’s attention, however, was a presentation on how to hack the popular Angry Birds game.
“Just saw some guys inject malicious code into #angrybirds .. is nothing sacred?” Johnathan Norman, a hacker from Houston, posted on Twitter.