Despite the last-minute update from Apple, Safari was the first to be cracked by security researchers on the first day of the Pwn2Own hacking contest.
A team of security researchers from the French penetration test company VUPEN successfully exploited a zero-day flaw in Apple’s Safari browser to win the Pwn2Own challenge on March 9. Security researchers took turns trying to compromise the most up-to-date versions of Microsoft Internet Explorer, Apple’s Safari, Mozilla Firefox and Google Chrome on the first day of the hacking contest at CanSecWest in Vancouver, British Columbia.
VUPEN cracked Safari in “5 seconds,” claimed several messages on Twitter from attendees.
VUPEN co-founder Chaouki Bekrar used a specially rigged Website that compromised a 64-bit version of a fully patched Mac OS X running on a MacBook. The three-man team spent about two weeks to find the vulnerability in WebKit, the open-source browser rendering engine Safari is based on, and to write the exploit, Bekrar told ZDNet’s Ryan Naraine, who was at the contest.
The winning exploit bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X. The team had to launch the calculator application and write to a file on the computer to prove the exploit had successfully gained full user access on the hijacked machine.
“The victim visits a Web page, he gets owned. No other interaction is needed,” Bekrar told Naraine.
For the Internet Explorer portion of the contest, the prize went to Irish security researcher Stephen Fewer, according to Naraine. He successfully hacked into a 64-bit Windows 7 machine running Internet Explorer 8 using three different vulnerabilities and custom exploits. Fewer used two different zero-day bugs in IE that he’d found previously to get reliable code execution, and then exploited a third vulnerability that allowed him to jump out of the IE Protected Mode sandbox to get to the operating system.
Like VUPEN, Fewer’s attack also successfully bypassed DEP and ASLR in Windows 7.
VUPEN was the first contestant to crack Safari. There were three other researchers, including previous three-time winner Charlie Miller, but under the contest’s winner-takes-all rules, the competition was over as soon as VUPEN succeeded. VUPEN had also signed up to test Internet Explorer, but was slated to go second after Fewer, the first contestant for Internet Explorer.
One contestant is scheduled for March 10, the second day of the contest, to attempt Mozilla Firefox, before the mobile platform portion of the contest begins, according to a spokesperson from TippingPoint ZDI, the contest’s sponsor. Contestants will begin with the Apple iPhone, followed by RIM BlackBerry, Samsung Nexus S running Android and Dell Venue Pro running Windows 7.
Apple released a last-minute update that patched a number of vulnerabilities in Safari and iOS, but it appears that the target iPhones will not be running iOS 4.3, said Security Generation on Twitter. It is not clear at this time whether VUPEN compromised the new Apple Safari 5.0.4, which Apple had released hours before the contest.
Fewer won a $15,000 cash prize and a new Sony Vaio laptop running Windows 7 for being the first of the three researchers to hack the Windows browser. VUPEN claimed the other $15,000 cash prize and a 13-inch Apple MacBook Air running Mac OS X Snow Leopard for cracking Safari.
Technical details of the exploits legally belong to TippingPoint under contest rules. TippingPoint will provide information to Microsoft and Apple and give them six months to fix the flaws before publicizing them.
CanSecWest is not just about hacking. There were also several panels, such as the one by a pair of security researchers from Germany who demonstrated several techniques that enabled them to remotely reboot, shut down and completely disable many popular mobile phones with SMS messages.