Pwn2Own Competition: Hack a laptop and you can keep it!

Viruses, hackers and crackers
Post Reply
User avatar
hamin_aus
Forum Moderator
Posts: 18363
Joined: 28 Aug 2003, 02:00
Processor: Intel i7 3770K
Motherboard: GA-Z77X-UP4 TH
Graphics card: Galax GTX1080
Memory: 32GB G.Skill Ripjaws
Location: Where beer does flow and men chunder
Contact:

Pwn2Own Competition: Hack a laptop and you can keep it!

Post by hamin_aus »

www.theregister.co.uk wrote:
Tired of all the knee-jerk banter from fanboys about whose operating system is the most secure? So are the organizers of the CanSecWest security conference, which will be held in Vancouver later this month. And with a contest awarding as much as $25,000 worth of prizes, they're likely to breathe fresh life into a stale debate.

This year's Pwn2Own competition will place three brand-new, fully patched laptops side by side: a Fujitsu U810 running Vista Ultimate, a Vaio VGN-TZ37Cn running Ubuntu 7.10 and a MacBook Air running Leopard. The first person to remotely run code on each one gets to take the machine home, and is automatically entered into the running for a $25,000 award from TippingPoint, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities.

At last year's Pwn2Own contest, conference organizers challenged attendees to hack into one of two fully patched MacBookPros to claim the machine and a $10,000 bounty from TippingPoint. Security guru Dino Dai Zovi, spent less than 12 hours doing just that, crafting a QuickTime exploit that allowed him to take complete control of the machine.

CanSecWest's Pwn2Own contests are useful because they allow us to isolate the technical strengths and weaknesses of a given platform from its popularity. Acrimonious debate has fomented for years about whether the high number of real-world Windows exploits - compared to those of OS X, Linux and other operating systems - is a natural consequence of having a 90-percent chunk of the market or the result of sloppy and insecure coding practices at Microsoft.

There's at least some merit to the argument that organized cyber crime gangs - just like makers of popular games Half-Life 2 and Crysis - don't write for the Mac and Linux because the smaller market shares make it impossible to get a return on the investment. The Pwn2Own contest, by offering a considerable incentive for exploits of these platforms, helps to neutralize the economic variable.

"These computers are REAL and FULLY patched," conference organizer Dragos Ruiu wrote in an email announcing the rules. "All third party software is widely used. There are no imitation vulnerabilities. Any exploit successfully used in this contest would also compromise a significant percentage of the internet connected hosts."

The rules for this year's contest include:
  • Limit one laptop per contestant
  • The same vulnerability can't be used against more than one box
  • Attacks will be performed using a cross-over cable (with the attacker controlling the default route) or using radio-frequency by special arrangement.
  • Winning exploits must target a previously unknown vulnerability; vulns that have already been reported to the affected software maker or a third party are not eligible.
Each of the machines will include widely deployed applications, including web browsers (Internet Explorer, Safari, Konqueror and Firefox), instant messengers (AIM, MSN, Yahoo, Adium, Skype and Pigdin) and email clients (Outlook, Mail.app, Thunderbird, kmail, mutt).
Image
User avatar
Synthesis
Registered User
Posts: 14517
Joined: 25 May 2006, 02:00
Location: Location, Location
Contact:

Post by Synthesis »

Who dares me to run in with a stocking over my head and a realistic water pistol, stealing all 3 machines.
Bet that's an original exploit they didn't expect! :lol:
Image
Vampyre_2099
Registered User
Posts: 1321
Joined: 04 Nov 2007, 02:00
Location: /home/jhb/fourways

Post by Vampyre_2099 »

Synthesis that would be awesome
mybrute
myminicity
PCformat ZA Folding Stats

ImageImage
Spoiler: (show)
Desktop: Q8200 @ 2.33GHz ~ TRUE ~ DP35DP ~ 4GB Transcend Jetram RAM ~ Nvidia 8800GT ~ 250GB HDD
Notebook: T5550 @ 1.83GHz ~ 2GB RAM ~ ATI HD 2400 XT ~ 160GB HDD
User avatar
rustypup
Registered User
Posts: 8872
Joined: 13 Dec 2004, 02:00
Location: nullus pixius demonica
Contact:

Post by rustypup »

Macintosh Notebook 'Air' gone in 120seconds yes, i don't play the wetard apple-contraction-marketing game... i'm surprised they managed to avoid shoving a lowercase 'i' in ther... ooo... sneaky sods...
Most people would sooner die than think; in fact, they do so - Bertrand Russel
GreyWolf
Registered User
Posts: 4754
Joined: 06 Aug 2003, 02:00
Processor: PHENOM II 945
Motherboard: Asus M4A78
Graphics card: HIS ICEQ 4850 1GB
Memory: 4GB CORSAIR XMS II 1066
Location: , location, location!

Post by GreyWolf »

bwahahahah! stupid mac...

check out www.theregister.co.uk

they reported on this, and all th mac fanboys are coming up with excuses...
"Every normal man must be tempted at times to spit on his hands, hoist that black flag, and begin slitting throats."
- H. L. Mancken
Anakha56
Forum Administrator
Posts: 22136
Joined: 14 Jun 2004, 02:00
Processor: Ryzen 1700K
Motherboard: Asus X370
Graphics card: Asus 1060 Strix
Memory: 16GB RAM
Location: Where Google says

Post by Anakha56 »

:lol:

So the mac dies first! Microsoft must be happy about that :P :lol:
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
User avatar
rustypup
Registered User
Posts: 8872
Joined: 13 Dec 2004, 02:00
Location: nullus pixius demonica
Contact:

Post by rustypup »

the results were pretty decisive... Ubuntu came through without a scratch......
Most people would sooner die than think; in fact, they do so - Bertrand Russel
Acidkidsa
Registered User
Posts: 1029
Joined: 06 Mar 2006, 02:00
Contact:

Post by Acidkidsa »

Give me a panga , I will hacking in a split second..
User avatar
hamin_aus
Forum Moderator
Posts: 18363
Joined: 28 Aug 2003, 02:00
Processor: Intel i7 3770K
Motherboard: GA-Z77X-UP4 TH
Graphics card: Galax GTX1080
Memory: 32GB G.Skill Ripjaws
Location: Where beer does flow and men chunder
Contact:

Post by hamin_aus »

As of today, since the Vista and Ubuntu laptops are still standing unscathed, we are now opening up the scope beyond just default installed applications on those laptops; any popular 3rd party application (as deemed "popular" by the judges) can now be installed on the laptops
So if A "popular" 3RD PARTY app is installed and creates an exploitable security vulnerability it is still Microsofts fault :?:

No, rather, I think this was a ploy to get results one way or another.

If for EG you exploit a bug in Winamp to mess up a PC, it is Nullsoft which should be accountable.

Also, lets not forget how many "popular" Windows apps there are, compared to the pitifully few apps of any popularity for Linux.
Image
User avatar
rustypup
Registered User
Posts: 8872
Joined: 13 Dec 2004, 02:00
Location: nullus pixius demonica
Contact:

Post by rustypup »

:lol: would you like some cheese with that?

considering the exploits which succeded, buffer overruns should not be happening anymore... how difficult is it to implement boundary checking? it is, after all, 2008...
Most people would sooner die than think; in fact, they do so - Bertrand Russel
User avatar
hamin_aus
Forum Moderator
Posts: 18363
Joined: 28 Aug 2003, 02:00
Processor: Intel i7 3770K
Motherboard: GA-Z77X-UP4 TH
Graphics card: Galax GTX1080
Memory: 32GB G.Skill Ripjaws
Location: Where beer does flow and men chunder
Contact:

Post by hamin_aus »

They continually change the rules of the game until they get the results they want.
We had a term for that on the playground. We called it squealing.

Whether it was Windows or Linux which buckled first, my point stands.
3rd Party apps inherently create vulnerabilities.
Image
User avatar
rustypup
Registered User
Posts: 8872
Joined: 13 Dec 2004, 02:00
Location: nullus pixius demonica
Contact:

Post by rustypup »

jamin_za wrote:3rd Party apps inherently create vulnerabilities.
i stand corrected, sir..

Note to all Windows users: Installing any software whatsoever on your newly purchased Windows PC will void any and all warranties and may cause the system to become insecure.

Just stare at the pretty desktop. That's what it's there for.... :lol:
Most people would sooner die than think; in fact, they do so - Bertrand Russel
WiK1d
Registered User
Posts: 20732
Joined: 13 Sep 2004, 02:00
Location: Cruising the streets of Pretoria
Contact:

Post by WiK1d »

Did 3rd party apps make linux budge?
User avatar
Stuart
Lead Forum Administrator
Posts: 38503
Joined: 19 May 2005, 02:00
Location: Home

Re: Pwn2Own Competition: Hack a laptop and you can keep it!

Post by Stuart »

Washington Post wrote:Pwn2Own — an annual computer-security contest in which researchers vie to win cash prizes and computer hardware by exploiting Web browsers — ended last week, and the results may surprise you.

The first browser to get hacked was Apple’s Safari. As Ars Technica’s Peter Bright wrote on Thursday, the almost-current 5.0.3. version of Safari, running on an up-to-date copy of Mac OS X 10.6.6, succumbed to a malicious page written by researchers with VUPEN, a French security firm, in a few seconds.

They proved the attack by remotely launching the Mac’s Calculator program and writing a file to the MacBook Air’s flash drive — earning them the right to keep the laptop, as per the contest’s rules.

Microsoft’s Internet Explorer 8, running on Windows 7 updated with Service Pack 1, fell later that day. Bright’s report notes that the IE 8 hack involved more exploits and took five to six weeks to construct, against two for the Safari exploit.

On the second day of Pwn2Own (organized by HP’s Austin-based TippingPoint DVLabs subsidiary and held at the CanSecWest conference in Vancouver every year), the iPhone 4 and a BlackBerry Torch smartphone also suffered successful hacks. Although the iPhone 4 was not running Apple’s just-released iOS 4.3 — the contest rules only required that the target device be running software current as of the week before — the vulnerability exploited in the attack exists in 4.3, too.

Over both days, nobody even tried to challenge Google’s Chrome (even though Google offered a separate cash award to anybody who could hack Chrome), Mozilla Firefox, a Nexus S smartphone running Google’s Android 2.3 operating system or a Dell Venue Pro with Microsoft’s Windows Phone 7.

More
Image
Anakha56
Forum Administrator
Posts: 22136
Joined: 14 Jun 2004, 02:00
Processor: Ryzen 1700K
Motherboard: Asus X370
Graphics card: Asus 1060 Strix
Memory: 16GB RAM
Location: Where Google says

Re: Pwn2Own Competition: Hack a laptop and you can keep it!

Post by Anakha56 »

:lol: And yet again Apple shows that they are more secure than Microsoft, it took longer to make to boot :roll:...

I love these comps puts all fanbois in place... :P
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
Sojourn
Registered User
Posts: 5649
Joined: 02 Sep 2004, 02:00
Location: Still looking...

Re: Pwn2Own Competition: Hack a laptop and you can keep it!

Post by Sojourn »

Anakha56 wrote::lol: And yet again Apple shows that they are more secure than Microsoft, it took longer to make to boot :roll:...

I love these comps puts all fanbois in place... :P
sarcasm or brain faster than fingers?
Anakha56
Forum Administrator
Posts: 22136
Joined: 14 Jun 2004, 02:00
Processor: Ryzen 1700K
Motherboard: Asus X370
Graphics card: Asus 1060 Strix
Memory: 16GB RAM
Location: Where Google says

Re: Pwn2Own Competition: Hack a laptop and you can keep it!

Post by Anakha56 »

You decide ;). The lol is meant to be on top but yes sarcasm...
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
Post Reply