[ISN] Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking contest

From: InfoSec News (alerts@private)
Date: Sun Mar 30 2008 - 22:21:53 PST


http://www.theregister.co.uk/2008/03/29/ubuntu_left_standing/

By Dan Goodin in Vancouver
The Register
29th March 2008

CanSecWest - A laptop running a fully patched version of Microsoft's 
Vista operating system was the second and final machine to fall in a 
hacking contest that pitted the security of Windows, OS X and Ubuntu 
Linux. With both a Windows and Mac machine felled, only the Linux box 
remained standing following the three-day competition.

Shane Macaulay, who played a hand bringing down a Mac [1] during last 
year's Pwn2Own contest, defeated the Vista machine using a previously 
unknown vulnerability in Adobe Flash. On final day of the CanSecWest 
conference in Vancouver, Macaulay spent the better part of four hours 
trying to get the exploit to work. (The delay prompted one spectator to 
playfully dub the difficulty "hacktile dysfunction.")

A MacBook Pro running a fully patched version of Leopard was the first 
to drop out [2] during day two of the race, when researchers from 
Independent Security Evaluators demonstrated a previously unknown 
vulnerability in Apple's Safari browser. With brand new boxes running 
both Ubuntu and Vista remaining, Macaulay spent day three switching back 
and forth between the two machines, trying to get his Flash exploit to 
execute properly. He was assisted by Alex Sotirov, a security researcher 
at VMware.

Initially thwarting Macaulay's efforts was the recently released Service 
Pack 1 for Vista, which he had neglected to install when testing the 
Flash exploit in the days leading up to the contest. Per the contest 
rules, each target machine had to be fully patched, and when the 
researcher first ran the code during the competition, new page 
protections added by Microsoft's security team prevented the exploit 
from properly executing.

"They had done some stuff in Vista to prohibit this form of attack from 
being successful on third party software," Macaulay said minutes after 
he finally commandeered the Fujitsu U810 laptop. "We had to do some 
porting to get around that issue."

Macaulay and Sotirov fashioned some javascript to circumvent the new 
measure, a feat that effectively allows them "to render that protection 
ineffective," Macaulay said.

It also allows them to pocket a $5,000 bounty from Tipping Point's Zero 
Day Initiative and keep the pricey Fujitsu laptop. Macaulay said he 
would probably sell the machine, which he and Sotirov autographed with a 
black Sharpie pen, on eBay.

Under contest rules, qualifying exploits on day one had to target 
default installations of the operating system itself and winners were 
allowed to walk away with the hacked box and a $20,000 bounty. Contest 
organizers gradually expanded the eligible attack surface on days two 
and three by allowing an vulnerabilities in an increasing number of 
third party applications. The bounty dropped to $10,000 on day 2 and 
$5,000 on day three. No one bothered competing on day one.

Plenty of commentators have made hay of the MacBook Pro being the first 
to exit the race, and Linux zealots are sure to conclude the contest 
results prove the superiority of that platform. Maybe. But that's not 
how it looks to Macaulay, who says with a few hours of tweaking, his 
exploit will also work on OS X and Linux.

The better take-away is that exploits like these are a fact of life for 
everyone no matter what kind of machine they choose (are you listening, 
Mac Guy?). Another lesson: just as quickly as Microsoft or any other 
developer adds new measures like page protection to their code base, 
hackers, ethical and otherwise, are find ways to work around them.

"Nobody can do anything about it, because you're always going to be 
installing something" that will bypass security, Macaulay, who wore torn 
blue jeans and a Puma jogging jacket, said with a shrug. "If it's not 
Java, it'll be something else."

[1] http://www.theregister.co.uk/2007/04/20/pwn-2-own_winner/
[2] http://www.channelregister.co.uk/2008/03/28/mac_hack/


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Sun Mar 30 2008 - 22:40:49 PST