TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... Frost and Sullivan announced in their Feb. 2007 report, "Analysis of Vulnerability Discovery and Disclosure", that TippingPoint was the fastest growing discoverer of new vulnerabilities and the leader in the discovery of both high-severity and Microsoft vulnerabilities.

CanSecWest PWN to OWN 2008 (updated)

March 24th Update: We've modified the rules and increased the prize amounts. Please see the new rules detailed below.

Since the announcement of the ZDI cash prize sponsorship for the CanSecWest PWN to OWN contest, we've received a lot of excellent and much appreciated feedback from the security community regarding the complexity of the original rules and the prize structure. We've gone back to the drawing board to see how we can better simplify the contest.

Based on the current feedback, we've agreed to keep this contest a "best of the best" showdown, and therefore only one cash prize will be offered per machine.  Our original goal in offering the chance for multiple persons to compete for cash prizes (even after the boxes were pwned) was to create more opportunity and fairness to the contestants and alleviate issues of timing around who gets to go first.  As a result of reducing the number of prizes to three, we were able to increase the prize amounts as detailed below.

Well, it's that time of year again- the CanSecWest security conference is rolling back around March 26th-28th in Vancouver, BC.

This year's conference includes another round of the now famous "PWN TO OWN" contest, established in 2007 by CanSecWest organizers.  For any who may not be familiar with the previous year's festivities, you can brush up on the subject here.

We received numerous inquiries as to whether or not the TippingPoint Zero Day Initiative program (ZDI) was going to step up with another cash reward this year for the winning vulnerability. After some careful thought and deliberation, we all agreed that despite some of the controversy last year, the outcome was a win-win situation for all. The ZDI program was able to remove a critical Apple QuickTime flaw from the market and hand it over to Apple quickly and responsibly- and Apple was able to very quickly issue an update to protect their customers. Oh yes, and the winner- Dino Dai Zovi- walked away with a pocket full of cash.

With a few important lessons learned from the ad-hoc sponsoring of the contest last year, the ZDI program has agreed to get involved again, and raise the stakes of the existing contest with some cash incentives.

Here are the details that we've ironed out with CanSecWest organizers, and more details will follow leading up to the contest. Stay tuned, we'll keep you posted on all the late breaking news!

The 2008 PWN to OWN Details

This year's PWN to 0WN contest will begin on March 26th, the first day of the CanSecWest conference. The contest includes three laptops, running the most up to date and patched installations of MacOS X Leopard, Windows Vista, and Ubuntu Linux:
  • VAIO VGN-TZ37CN running Ubuntu 7.10
  • Fujitsu U810 running Vista Ultimate SP1
  • MacBook Air running OSX 10.5.2
The main purpose of this contest is to responsibly unearth new vulnerabilities within these systems so that the affected vendor(s) can address them.

To claim a laptop as your own, you will need to read the contents of a designated file on each system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs).  Each laptop will only have a direct wired connection (exposed through a crossover cable) and only one person may attack each system at a time so that each team's exploit remains private. Slots will be available for sign up in 30 minute increments at the beginning of each day.  Slots are assigned in random order.  Once everyone signs up each morning, spots will be assigned randomly. Any WiFi or Bluetooth exploits will be verified offsite in a secure lab to prevent snooping.  The first winner of each laptop gets to keep it (one laptop per vulnerability entry) as well as a cash prize sponsored by ZDI.  Once a laptop is won however, no more exploits may be submitted.  Therefore there are a maximum of three cash prizes, one per laptop. All winning exploits will be handed over to the affected vendors at the conference through the ZDI, with the appropriate credit given to the contestant once the vendor patches the issue.  Until then, the actual vulnerability will be kept quiet from the public. This is a required condition of entry into the contest; all entrants must agree to the responsible disclosure handling of their vulnerability/exploit through the ZDI. An awards ceremony at the end of the conference will present each winner with their prizes. 

Any vulnerability that the Zero Day Initiative awards a cash prize for, becomes the property of the ZDI, and therefore the winner can not discuss or disclose details of the 0day until the affected vendor has successfully patched the issue.  Any discussion of the bug prior to the public disclosure of a ZDI advisory will result in forfeiting of the prize. TippingPoint is collaborating with the vendors to ensure that their response teams will be ready and waiting to receive any and all 0day that comes out of this contest.  For all other vulnerabilities, we are ready to forward the information on to the appropriate vendor (Adobe, Skype, Apache, Sendmail, etc.) upon verification of the issue.

The Cash Prizes

All machines will be fully patched and in a default configuration. Simply put, if the vendor shipped it on the box and it's enabled, it's in scope.

Day 1: March 26th: Remote pre-auth
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.

Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.

Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.

*To accommodate any individuals who may not have gotten a chance to take a stab at the machines, we'll provide the opportunity onsite for folks to submit their vulns through the normal ZDI process if they'd like to be compensated for their discovery.

The awards ceremony will take place at the end of the day on the 28th. More details and daily results from the contest will be posted here on our blog.  Please feel free to ask questions in the Comments section of this posting and we will try to answer them in a timely manner.

Update - see here for the final results from the contest.

Tags: zdi,pwn to 0wn,cansecwest
Published On: 2008-03-19 10:28:01

Comments post a comment

  1. Anonymous commented on 2008-03-27 @ 19:26

    Are the OS installs left in default configurations, or are some settings turned on or off by the organizers?

  2. ZDI commented on 2008-03-27 @ 19:54

    All platforms are left in their default configuration, as if a normal desktop user were operating it.

  3. Anonymous commented on 2008-03-29 @ 00:35

    I think you need to refine your rules a bit more and state that the exploit has to be worked on during the hours of the contest to keep contestant(s) from bringing something prepared; as it seems that the winner of the MBA did. I think it would be interesting to see exactly how long it actually took to discover the exploit then create the code to take advantage of it.

  4. JesusFreak107 commented on 2008-03-31 @ 15:30

    Default config, eh? A VAIO running Ubuntu is not a default config, just so you know. And, yes, it makes a difference, a Ubuntu system pre-installed is a LOT more stable than a manually installed version, because the kernel is modified to work specifically with the hardware. Therefore, Ubuntu PWND the rest of the OSes even worse than it looks like.

  5. kyle commented on 2008-07-17 @ 14:43

    so does that mean that Ubuntu doesn't have iptables up and running since they are off by default. if anyone tried to crack the ubuntu laptop, they should have had an easier time than the average user, since almost every ubuntu startup site says to download firestarter and make iptables up and running.