PWN2OWN @ CanSecWest


The TippingPoint Zero Day Initiative (ZDI) annual  Pwn2Own contest is back again this year at the CanSecWest security conference held in Vancouver, BC on March 24th 2010. As the contest name implies, if you successfully exploit a target you get to keep it along with a ZDI cash prize and related benefits. This is the 4th year running and to commemorate ZDI  increased the total cash prize amount to $100,000 USD. If you’re unfamiliar with the past history of this competition check out the archived 2008 and 2009 entries on the ZDI blog.

CanSecWest, touted as the world’s most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.
This year the competition had 2  main technology targets. In keeping with tradition the first portion of the event attempted to bring to light the current security posture of market-leading web browser and operating system pairings. The multifaceted web browser continues to occupy a critical presence on the client-side attack surface. As Adobe, Google, and an estimated 30 other companies affected in the Aurora incident can attest to, the security posture of these products merits a yearly public evaluation by the research community at large.

The second portion of Pwn2Own 2010 offers bounties for vulnerabilities affecting mobile phones. The increased presence and capabilities of smart phones has brought with it the same security issues and attention traditionally reserved for non hand-held platforms. Vulnerabilities in parsing media, dynamic web content, e-mail, and other client-side issues have been published in the past. Additionally, many of the communication protocols that mobile phones implement are the focus of a burgeoning field of security research (ex: Lackey/Miras, Langlois, Bailey). The data stored and communicated across these devices is increasing in value to attackers.

Winners So far:

Vincenzo Iozzo and Ralf Philipp Weinmann succeeded in exploiting the iPhone in the first time slot. They exploited a Safari vulnerability with a payload which retrieved the text messages from the device.

Charlie Miller (Twitter: 0xcharlie) competed successfully for the third year in a row, taking home the MacBook Pro via a Safari exploit which delivered a full command shell payload.

Peter Vreugdenhil (Twitter: WTFuzz) succeeded against Internet Explorer 8 on Windows 7 64bit taking home the HP Envy Beats. His exploit was quite impressive from a technical impressive, bypassing all the anti-exploitation features.

Nils from MWR InfoSecurity (Twitter: MWRLabs) closed out the day with the successful of Firefox on Windows 7 taking home the Sony Vaio. He utilized the quintessential calc.exe launching payload.

The remaining registered competitor is scheduled against the Nokia but is currently missing in action.

As the luck of the draw would have it Nils on Safari, MemACCT on IE 8 and Anonymous on iPhone lost their time slots as the prizes had already been claimed. Their vulnerabilities are still eligible for submission through the Zero Day Initiative.

Google Chrome remains untested and the last browser standing as of Day 2.

via CanSecWest Applied Security Conference: Vancouver, British Columbia, Canada.

Leave a Reply