Post Reply 
PWN to OWN: Final Day (and another winner!)
Author Message
S7*
Sweet Dreams

Posts: 16,689.4373
Threads: 1,056
Joined: 3rd Apr 2007
Reputation: 14.29926
E-Pigs: 383.2289
Offline
Post: #1
PWN to OWN: Final Day (and another winner!)
Quote:The third and final day of the PWN to OWN contest at the CanSecWest security conference begins today, March 28th at 12:30pm local time (PST) in Vancouver.  Yesterday, on day two of the contest, the MacBook Air was successfully compromised first and won by a team from Independent Security Evaluators, also winning $10,000 from us (the Zero Day Initiative).

As of today, since the Vista and Ubuntu laptops are still standing unscathed, wee are now opening up the scope beyond just default installed applications on those laptops; any popular 3rd party application (as deemed "popular" by the judges) can now be installed on the laptops for a prize of $5,000 upon a successful compromise.  For a refresher on the full rules and cash prizes, check out the PWN to OWN contest guidelines.


2:30pm PST Update: Its been two hours so far, and both Vista and Ubuntu laptops are still standing. Stay tuned...

7:30pm PST Update - Vista Laptop was Won!: Congratulations to Shane Macaulay from Security Objectives - he has just won the Fujitsu U810 laptop running Vista Ultimate SP1 after it was installed with the latest version of Adobe Flash. Not only is he the official winner of the Fujitsu laptop, but also $5,000 from us. Shane received some assistance from his friends Derek Callaway (also from Security Objectives) and Alexander Sotirov. If you'll also remember, Shane Macaulay was Dino Dai Zovi's on-site team member at last year's PWN to OWN event in which they ultimately took the top prize.

The new Adobe Flash 0day vulnerability that Shane exploited has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Adobe who is now working on the issue.  Until Adobe releases a patch for this issue, neither wee nor the contestants will be giving out any additional information about the vulnerability.  You will be able to track the vulnerability on the Zero Day Initiative upcoming advisories page.  

tl;dr: Vista got Pwnt, Ubuntu last left standing hence victorious. Adobe Flash vulnerability was responsible.

Sauce: http://dvlabs.tippingpoint.com/blog/2008...nd-wrap-up

I lol'd. Ahaa
(This post was last modified: 29/03/2008 09:43 AM by S7*.)
29/03/2008 09:41 AM
Find all posts by this user Quote this message in a reply
Hellgiver
Team Ramrod

Posts: 1,875.3073
Threads: 230
Joined: 27th Sep 2007
Reputation: 2.15096
E-Pigs: 57.9774
Offline
Post: #2
RE: PWN to OWN: Final Day (and another winner!)
Was that the same contest in which the dude hacked Air in 2 minutes? I remember he got 10k there, so I thought it might be the same one.

[Image: toocool.png]
<3 Diego!
29/03/2008 09:45 AM
Find all posts by this user Quote this message in a reply
S7*
Sweet Dreams

Posts: 16,689.4373
Threads: 1,056
Joined: 3rd Apr 2007
Reputation: 14.29926
E-Pigs: 383.2289
Offline
Post: #3
RE: PWN to OWN: Final Day (and another winner!)
Hellgiver Wrote:Was that the same contest in which the dude hacked Air in 2 minutes? I remember he got 10k there, so I thought it might be the same one.

Yeas its the same one :P
29/03/2008 09:55 AM
Find all posts by this user Quote this message in a reply
Hellgiver
Team Ramrod

Posts: 1,875.3073
Threads: 230
Joined: 27th Sep 2007
Reputation: 2.15096
E-Pigs: 57.9774
Offline
Post: #4
RE: PWN to OWN: Final Day (and another winner!)
I'd really enjoy to watch that actually.

[Image: toocool.png]
<3 Diego!
29/03/2008 10:00 AM
Find all posts by this user Quote this message in a reply
u_c_taker
hacks=drama

Posts: 3,185.2011
Threads: 102
Joined: 29th Jan 2007
Reputation: -1.03084
E-Pigs: 36.7855
Offline
Post: #5
RE: PWN to OWN: Final Day (and another winner!)
wow a mac got hacked faster than vista
oh well i guess ms have improved security

29/03/2008 10:41 AM
Find all posts by this user Quote this message in a reply
Hellgiver
Team Ramrod

Posts: 1,875.3073
Threads: 230
Joined: 27th Sep 2007
Reputation: 2.15096
E-Pigs: 57.9774
Offline
Post: #6
RE: PWN to OWN: Final Day (and another winner!)
u_c_taker Wrote:wow a mac got hacked faster than vista
oh well i guess ms have improved security

Well, to be fair, he had the code already on his site, which he went straight to via safari.  The rules states you could only use out of the box programs from the start... and well...

Quote:Boston (dbTechno) - Security researchers have managed to team together to win $10,000. They won the prize after they hacked into the MacBook Air in just two minutes.

It is believed that they hacked the MacBook Air using a vulnerability found in the Safari Web browser.

The team is known as the Independent Security Evaluators, and is made up of Charlie Miller, Jake Honoroff, and Mark Daniel.

They took part in the Pwn to Own contest put on by TippingPoint.

To win the contest, they hacked into, and gained full control of the MacBook Air in mere seconds.

The event was put on in Vancouver, Canada to check how the MacBook Air performed against other PCs running Windows Vista, as well as Ubuntu.

The first machine was the VAIO VGN-TZ37CN running Ubuntu 7.0. There was also the MacBook Air running OSX 10.5.2 and a Fujitsu U810 running Windows Vista Ultimate SP1.

The hackers managed to have a code already set up ona Web site. They were then able to hack into the MacBook Air by tricking the judges to visit the site.

This is believed to be a newly discovered and major vulnerability in the Safari Web browser. The vulnerability has been reported to Apple who is now working on the problem.


http://www.dbtechno.com/computers/2008/0...0-seconds/

[Image: toocool.png]
<3 Diego!
(This post was last modified: 29/03/2008 10:45 AM by Hellgiver.)
29/03/2008 10:44 AM
Find all posts by this user Quote this message in a reply
ZiNgA BuRgA
Smart Alternative

Posts: 17,022.2988
Threads: 1,174
Joined: 19th Jan 2007
Reputation: -1.71391
E-Pigs: 446.1294
Offline
Post: #7
RE: PWN to OWN: Final Day (and another winner!)
Can't really say it's Vista's fault, as it's really Adobe's.

But Flash has always had its run of security holes - I don't really trust Flash :P
(This post was last modified: 29/03/2008 07:23 PM by ZiNgA BuRgA.)
29/03/2008 07:22 PM
Visit this user's website Find all posts by this user Quote this message in a reply
S7*
Sweet Dreams

Posts: 16,689.4373
Threads: 1,056
Joined: 3rd Apr 2007
Reputation: 14.29926
E-Pigs: 383.2289
Offline
Post: #8
RE: PWN to OWN: Final Day (and another winner!)
ZiNgA BuRgA Wrote:Can't really say it's Vista's fault, as it's really Adobe's.

But Flash has always had its run of security holes - I don't really trust Flash :P

You can't really say that.

Its the difference about how far Flash can get into a System - and a full Admin Account on Vista is bound to get exploited.

I doubt a Flash Exploit on Linux would be as effective.
30/03/2008 02:28 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

 Quick Theme: