Pwn2Own
Encyclopedia
Pwn2Own is a computer hacking
contest held at the annual CanSecWest security conference
, beginning in 2007. Contestants are challenged to exploit
specific software
(especially web browser
s and other web related software) / computing platform targets with previously unknown vulnerabilities (with so called zero-day attacks). Contestant winners receive the device/computer that was successfully exploited and a cash prize - the name "Pwn2Own" means pwn
(=hack) to own (you can go home with one).
For each successful exploit, the contest's sponsor, TippingPoint
, provides a report to the applicable vendor, detailing the vulnerability and how it was exploited. The details are not released to the public until the vendor has corrected the vulnerability.
vulnerability which allowed arbitrary command execution.
7.10. On the second day of the contest, when the rules were loosened and allowed attack surfaces expanded to include Web browsers, Charlie Miller
compromised Mac OS X through an unpatched vulnerability of the PCRE library used by Safari. Miller had been aware of the flaw prior to the beginning of the conference and worked to exploit it unannounced. The exploited vulnerability was patched in Safari 3.1.1, among other flaws. At the end of the contest, only the Ubuntu system remained unexploited.
, Java
, .Net
, Quicktime
. User goes to link.
and Safari.
was left out of the contests as a target: The ZDI team argues that Opera has a low market share and that Chrome and Safari are only included "due to their default presence on various mobile platforms". However, Opera's rendering engine, Presto
, is present on millions of mobile platforms.
, Canada
. http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011
For the mobile browser category, the following teams registered:
The second and last browser to fall for the day was a 32-bit Internet Explorer 8 installed on 64-bit Windows 7 Service Pack 1. Security researcher Stephen Fewer of Harmony Security was successful in exploiting IE. Just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk.
and Dion Blazakis were able to gain access to the iPhone's address book through a vulnerability in Mobile Safari by visiting their exploit ridden webpage. The iPhone was running iOS 4.2.1, however the flaw exists in the current 4.3 version of the iOS.
Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann were successful in exploiting the Blackberry Torch 9800. The team took advantage of a vulnerability in the Blackberry's WebKit based web browser by visiting their previously prepared webpage. The phone was running BlackBerry OS 6.0.0.246.
Firefox, Android and Windows Phone 7 were scheduled to be tested during day 2, but the security researchers that had been chosen for these platforms did not attempt any exploits. Sam Thomas had been selected to test Firefox, but he withdrew stating that his exploit was not stable. The researchers that had been chosen to test Android and Windows Phone 7 did not show up.
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
contest held at the annual CanSecWest security conference
Computer security conference
A computer security conference is a term that describes a convention for individuals involved in computer security. They generally serve as a meeting place for system and network administrators, hackers, and computer security experts....
, beginning in 2007. Contestants are challenged to exploit
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
specific software
Computer software
Computer software, or just software, is a collection of computer programs and related data that provide the instructions for telling a computer what to do and how to do it....
(especially web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
s and other web related software) / computing platform targets with previously unknown vulnerabilities (with so called zero-day attacks). Contestant winners receive the device/computer that was successfully exploited and a cash prize - the name "Pwn2Own" means pwn
Pwn
Pwn is a leetspeak slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival, used primarily in the Internet-based video game culture to taunt an opponent who has just been soundly defeated .In hacker...
(=hack) to own (you can go home with one).
For each successful exploit, the contest's sponsor, TippingPoint
Tippingpoint
TippingPoint was an American software company with roots back to 1999 focused on network security products, particularly intrusion prevention systems for networks. TippingPoint was acquired by 3Com Corporation in 2005, and was run as an autonomous security-focused division from 2005 to 2010. On...
, provides a report to the applicable vendor, detailing the vulnerability and how it was exploited. The details are not released to the public until the vendor has corrected the vulnerability.
Contest 2007
In the first contest, Dino A. Dai Zovi and Shane Macaulay worked together to take down the first MacBook Pro. On the second day of the conference Macauley sent an email which redirected the user to a malicious site. The site was able to infect the machine with a client-side JavascriptJavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
vulnerability which allowed arbitrary command execution.
Contest 2008
In the 2008 contest, a successful exploit of Safari caused Mac OS X to be the first OS to fall in a hacking competition. Participants competed to find a way to read the contents of a file located on the user's desktop, in one of three operating systems: Mac OS X Leopard, Windows Vista SP1, and UbuntuUbuntu (operating system)
Ubuntu is a computer operating system based on the Debian Linux distribution and distributed as free and open source software. It is named after the Southern African philosophy of Ubuntu...
7.10. On the second day of the contest, when the rules were loosened and allowed attack surfaces expanded to include Web browsers, Charlie Miller
Charlie Miller (security researcher)
Charles Miller is a computer security researcher with the consulting firm Accuvant LABS.Prior to his current employment, he spent five years working for the National Security Agency. Miller demonstrated his hacks publicly on products manufactured by Apple...
compromised Mac OS X through an unpatched vulnerability of the PCRE library used by Safari. Miller had been aware of the flaw prior to the beginning of the conference and worked to exploit it unannounced. The exploited vulnerability was patched in Safari 3.1.1, among other flaws. At the end of the contest, only the Ubuntu system remained unexploited.
Targets: web browsers
- Internet Explorer 8Internet Explorer 8Windows Internet Explorer 8 is a web browser developed by Microsoft in the Internet Explorer browser series. The browser was released on March 19, 2009 for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Both 32-bit and 64-bit builds are available...
on Windows 7 Beta - Mozilla FirefoxMozilla FirefoxMozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
on Windows 7 Beta - Google ChromeGoogle ChromeGoogle Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
on Windows 7 Beta - Safari 3.2Safari (web browser)Safari is a web browser developed by Apple Inc. and included with the Mac OS X and iOS operating systems. First released as a public beta on January 7, 2003 on the company's Mac OS X operating system, it became Apple's default browser beginning with Mac OS X v10.3 "Panther". Safari is also the...
on Mac OS XMac OS XMac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems... - Mozilla Firefox on Mac OS X
Day 2
Adobe FlashAdobe Flash
Adobe Flash is a multimedia platform used to add animation, video, and interactivity to web pages. Flash is frequently used for advertisements, games and flash animations for broadcast...
, Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
, .Net
.NET Framework
The .NET Framework is a software framework that runs primarily on Microsoft Windows. It includes a large library and supports several programming languages which allows language interoperability...
, Quicktime
QuickTime
QuickTime is an extensible proprietary multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows XP and later, as well as Mac OS X Leopard and...
. User goes to link.
Targets: Mobile phones
- BlackBerryBlackBerryBlackBerry is a line of mobile email and smartphone devices developed and designed by Canadian company Research In Motion since 1999.BlackBerry devices are smartphones, designed to function as personal digital assistants, portable media players, internet browsers, gaming devices, and much more...
- T-MobileT-MobileT-Mobile International AG is a German-based holding company for Deutsche Telekom AG's various mobile communications subsidiaries outside Germany. Based in Bonn, Germany, its subsidiaries operate GSM and UMTS-based cellular networks in Europe, the United States, Puerto Rico and the US Virgin Islands...
's G1HTC DreamThe HTC Dream is an Internet-enabled smartphone with an operating system designed by Google and hardware designed by HTC...
with Android - Apple iPhoneIPhoneThe iPhone is a line of Internet and multimedia-enabled smartphones marketed by Apple Inc. The first iPhone was unveiled by Steve Jobs, then CEO of Apple, on January 9, 2007, and released on June 29, 2007...
- NokiaNokiaNokia Corporation is a Finnish multinational communications corporation that is headquartered in Keilaniemi, Espoo, a city neighbouring Finland's capital Helsinki...
's N95Nokia N95The Nokia N95 is a smartphone produced by Nokia as part of their Nseries line of portable devices. It was released in 2007. The N95 runs Symbian OS v9.2, with a S60 3rd Edition user interface. The phone has a two-way sliding mechanism, which can be used to access either media playback buttons or...
with Symbian - HTC TouchHTC TouchThe HTC Touch, also known as the HTC P3450 or its codename the HTC Elf, is a Windows Mobile 6-powered Pocket PC designed and manufactured by HTC. Its main, unique feature is a user interface named TouchFLO that detects a sweeping motion and can distinguish between a finger and a stylus...
with Windows MobileWindows MobileWindows Mobile is a mobile operating system developed by Microsoft that was used in smartphones and Pocket PCs, but by 2011 was rarely supplied on new phones. The last version is "Windows Mobile 6.5.5"; it is superseded by Windows Phone, which does not run Windows Mobile software.Windows Mobile is...
Successful exploits
- Charlie MillerCharlie Miller (security researcher)Charles Miller is a computer security researcher with the consulting firm Accuvant LABS.Prior to his current employment, he spent five years working for the National Security Agency. Miller demonstrated his hacks publicly on products manufactured by Apple...
performed another successful exploit of Safari to hack into a Mac. Miller again acknowledged that he had advance knowledge of the security flaw prior to the competition, and had done considerable research and preparation work on the exploit. Apple released a patch for this exploit and others on May 12, 2009 in Safari 3.2.3. - Nils defying DEPData Execution PreventionData Execution Prevention is a security feature included in modern operating systems.It is known to be available in Linux, Mac OS X, and Microsoft Windows operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. This helps...
and ASLRAddress space layout randomizationAddress space layout randomization is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.- Benefits :Address space randomization hinders...
to exploit Internet Explorer 8. - Nils exploit Safari and Firefox on the Mac.
- Julien Tinnes, who successfully exploited both Firefox and Safari.
Contest 2010
The Competition started at March 24, 2010 and had a total cash prize pool of US$100,000. On March 15—nine days before the contest was to begin—Apple released sixteen patches for WebKitWebKit
WebKit is a layout engine designed to allow web browsers to render web pages. WebKit powers Google Chrome and Apple Safari and by October 2011 held over 33% of the browser market share between them. It is also used as the basis for the experimental browser included with the Amazon Kindle ebook...
and Safari.
Software to exploit
$40,000 of the $100,000 are reserved for web browsers, where each target is worth $10,000.Day 1
- Microsoft Internet Explorer 8Internet Explorer 8Windows Internet Explorer 8 is a web browser developed by Microsoft in the Internet Explorer browser series. The browser was released on March 19, 2009 for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Both 32-bit and 64-bit builds are available...
on Windows 7 - Mozilla Firefox 3.6Mozilla Firefox 3.6Mozilla Firefox 3.6 is a version of the Firefox web browser released in January 2010. The release's main improvement over Firefox 3.5 is improved performance . It uses the Gecko 1.9.2 engine , which improves compliance with web standards...
on Windows 7 - Google Chrome 4 on Windows 7
- Apple Safari 4 on Mac OS X Snow Leopard
Day 2
- Microsoft Internet Explorer 8 on Windows VistaWindows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
- Mozilla Firefox 3 on Windows Vista
- Google Chrome 4 on Windows Vista
- Apple Safari 4 on Mac OS X Snow Leopard
Day 3
- Microsoft Internet Explorer 8 on Windows XPWindows XPWindows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
- Mozilla Firefox 3 on Windows XP
- Google Chrome 4 on Windows XP
- Apple Safari 4 on Mac OS X Snow Leopard
Target: Mobile Phones
$60,000 of the total $100,000 cash prize pool is allotted to the mobile phone portion of the contest, each target is worth $15,000.- Apple iPhone 3GSIPhone 3GS-Camera:The iPhone 3GS features an improved 3 megapixel camera manufactured by OmniVision. In addition to the higher megapixel count, it also features auto-focus, auto white balance and auto macro and is capable of capturing VGA video...
- RIMResearch In MotionResearch In Motion Limited or RIM is a Canadian multinational telecommunications company headquartered in Waterloo, Ontario, Canada that designs, manufactures and markets wireless solutions for the worldwide mobile communications market...
BlackBerry Bold 9700 - Nokia E72Nokia E72The Nokia E72 is a smartphone from the Nokia Eseries range that manufactured in Finland. It is the successor to the Nokia E71 and is based on a similar design and form factor, and offers a similar feature set...
device running Symbian - HTC Nexus OneNexus OneThe Nexus One was Google's flagship smartphone manufactured by Taiwan's HTC Corporation. It became available on January 5, 2010 and uses the Android open source mobile operating system...
running Android
Successful exploit
- Charlie MillerCharlie Miller (security researcher)Charles Miller is a computer security researcher with the consulting firm Accuvant LABS.Prior to his current employment, he spent five years working for the National Security Agency. Miller demonstrated his hacks publicly on products manufactured by Apple...
successfully hacked Safari 4 on Mac OS X. - Peter Vreugdenhil exploited Internet Explorer 8 on Windows 7 by using two vulnerabilities that involved bypassing ASLRAddress space layout randomizationAddress space layout randomization is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.- Benefits :Address space randomization hinders...
and evading DEPData Execution PreventionData Execution Prevention is a security feature included in modern operating systems.It is known to be available in Linux, Mac OS X, and Microsoft Windows operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. This helps...
. - Nils hacked Firefox 3.6 on Windows 7 64-bit64-bit64-bit is a word size that defines certain classes of computer architecture, buses, memory and CPUs, and by extension the software that runs on them. 64-bit CPUs have existed in supercomputers since the 1970s and in RISC-based workstations and servers since the early 1990s...
by using a memory corruption vulnerability and bypass ASLR and DEP. MozillaMozillaMozilla is a term used in a number of ways in relation to the Mozilla.org project and the Mozilla Foundation, their defunct commercial predecessor Netscape Communications Corporation, and their related application software....
patched the security flaw in Firefox 3.6.3. - Ralf-Philipp Weinmann and Vincenzo Iozzo hacked the iPhone 3GS by bypassing the digital code signatures used on the iPhone to verify that the code in memory is from Apple.
Opera
The Opera web browserOpera (web browser)
Opera is a web browser and Internet suite developed by Opera Software with over 200 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, chatting on IRC, downloading files via BitTorrent,...
was left out of the contests as a target: The ZDI team argues that Opera has a low market share and that Chrome and Safari are only included "due to their default presence on various mobile platforms". However, Opera's rendering engine, Presto
Presto (layout engine)
Presto is the layout engine for later versions of the Opera web browser . After several public betas and technical previews, it was released on January 28, 2003 in Opera 7 for Windows, and as of Opera 11 it is still in use. Presto is dynamic: the page or parts of it can be re-rendered in response...
, is present on millions of mobile platforms.
Contest 2011
The 2011 contest took place between March 9 until 11th during the CanSecWest conference in VancouverVancouver
Vancouver is a coastal seaport city on the mainland of British Columbia, Canada. It is the hub of Greater Vancouver, which, with over 2.3 million residents, is the third most populous metropolitan area in the country,...
, Canada
Canada
Canada is a North American country consisting of ten provinces and three territories. Located in the northern part of the continent, it extends from the Atlantic Ocean in the east to the Pacific Ocean in the west, and northward into the Arctic Ocean...
. http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011
Targets
The web browser targets for the 2011 contest included Microsoft Internet Explorer, Apple Safari, Mozilla Firefox, and Google Chrome. New to the Pwn2Own contest was the fact that a new attack surface was allowed for penetrating Mobile phones, specifically over cellphone basebands. The Mobile Phones targets were Dell Venue Pro running Windows Phone 7, iPhone 4 running iOS, Blackberry Torch 9800 running Blackberry 6 OS, and Nexus S running Android 2.3.Teams
The following teams registered for the desktop browser contest:- Apple Safari: VUPEN, Anon_07, Team Anon, Charlie Miller
- Mozilla Firefox: Sam Thomas, Anonymous_1
- Microsoft Internet Explorer: Stephen Fewer, VUPEN, Sam Thomas, Ahmed M Sleet
- Google Chrome: Moatz Khader, Team Anon, Ahmed M Sleet
For the mobile browser category, the following teams registered:
- Apple iPhone: Anon_07, Dion Blazakis and Charlie Miller, Team Anon, Anonymous_1, Ahmed M Sleet
- RIM Blackberry: Anonymous_1, Team Anon, Ahmed M Sleet
- Samsung Nexus S: Jon Oberheide, Anonymous_1, Anon_07, Team Anonymous
- Dell Venue Pro: George HotzGeorge HotzGeorge Francis Hotz , alias geohot, million75 or simply mil, is an American hacker known for unlocking the iPhone, allowing the phone to be used with other wireless carriers, contrary to AT&T and Apple's intent...
, Team Anonymous, Anonymous_1, Ahmed M Sleet
Day 1
During the first day of the competition Safari and Internet Explorer were defeated by researchers. Safari was version 5.0.3 installed on a fully patched Mac OS X 10.6.6. French security firm VUPEN was first to attack the browser, and five seconds after the browser visited its specially crafted malicious web page, it had both launched the platform calculator application (a standard harmless payload to demonstrate that arbitrary code has been executed) and written a file to the hard disk (to demonstrate that the sandbox had been bypassed).The second and last browser to fall for the day was a 32-bit Internet Explorer 8 installed on 64-bit Windows 7 Service Pack 1. Security researcher Stephen Fewer of Harmony Security was successful in exploiting IE. Just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk.
Day 2
In day 2 the iPhone 4 and Blackberry Torch 9800 were both exploited. Security researchers Charlie MillerCharlie Miller (security researcher)
Charles Miller is a computer security researcher with the consulting firm Accuvant LABS.Prior to his current employment, he spent five years working for the National Security Agency. Miller demonstrated his hacks publicly on products manufactured by Apple...
and Dion Blazakis were able to gain access to the iPhone's address book through a vulnerability in Mobile Safari by visiting their exploit ridden webpage. The iPhone was running iOS 4.2.1, however the flaw exists in the current 4.3 version of the iOS.
Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann were successful in exploiting the Blackberry Torch 9800. The team took advantage of a vulnerability in the Blackberry's WebKit based web browser by visiting their previously prepared webpage. The phone was running BlackBerry OS 6.0.0.246.
Firefox, Android and Windows Phone 7 were scheduled to be tested during day 2, but the security researchers that had been chosen for these platforms did not attempt any exploits. Sam Thomas had been selected to test Firefox, but he withdrew stating that his exploit was not stable. The researchers that had been chosen to test Android and Windows Phone 7 did not show up.