TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... Most phishing sites are hosted on compromised Apache + PHP + MySQL servers located in the US. Our Digital Vaccine service includes filters specifically designed to prevent potential victims from reaching many of these malicious sites.

PWN to OWN: Final Day (and another winner!)

The third and final day of the PWN to OWN contest at the CanSecWest security conference begins today, March 28th at 12:30pm local time (PST) in Vancouver.  Yesterday, on day two of the contest, the MacBook Air was successfully compromised first and won by a team from Independent Security Evaluators, also winning $10,000 from us (the Zero Day Initiative). 

As of today, since the Vista and Ubuntu laptops are still standing unscathed, we are now opening up the scope beyond just default installed applications on those laptops; any popular 3rd party application (as deemed "popular" by the judges) can now be installed on the laptops for a prize of $5,000 upon a successful compromise.  For a refresher on the full rules and cash prizes, check out the PWN to OWN contest guidelines.


2:30pm PST Update: Its been two hours so far, and both Vista and Ubuntu laptops are still standing. Stay tuned...

7:30pm PST Update - Vista Laptop was Won!: Congratulations to Shane Macaulay from Security Objectives - he has just won the Fujitsu U810 laptop running Vista Ultimate SP1 after it was installed with the latest version of Adobe Flash. Not only is he the official winner of the Fujitsu laptop, but also $5,000 from us. Shane received some assistance from his friends Derek Callaway (also from Security Objectives) and Alexander Sotirov. If you'll also remember, Shane Macaulay was Dino Dai Zovi's on-site team member at last year's PWN to OWN event in which they ultimately took the top prize.

The new Adobe Flash 0day vulnerability that Shane exploited has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Adobe who is now working on the issue.  Until Adobe releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability.  You can track the status of the vulnerability on the Zero Day Initiative upcoming advisories page under ZDI-CAN-306. 



Above pictured is Aaron from TippingPoint on the left officiating in front of the Fujitsu laptop, while Shane Macaulay and his pwnage assistant Alexander Sotirov (next from left to right) refine the Adobe Flash exploit.

So at the end of the last day of the contest, only the Sony VAIO laptop running Ubuntu was left standing. 

We had an awards ceremony tonight where we officially handed out both winning laptops as well as brand spankin' new Zero Day Initiative laptop bags.  Here are a couple of pics of the happy winners:




Above pictured is Charlie Miller whose team won the MacBook Air and $10,000 on day two of the contest.





Above pictured is winner Shane Macaulay on the right showing off the spoils of victory with his friend Alexander Sotirov on the left.

We want to thank the organizers of CanSecWest and everyone who helped out with the PWN to OWN contest, especially Dragos Ruiu, Ron Dodge, Tim Rosenberg, Dwight Hobbs, and Chris Owen.  See you next year!


Tags: cansecwest,pwn2own
Published On: 2008-03-28 10:40:24

Comments post a comment

  1. klaymation commented on 2008-03-28 @ 14:24

    Waiting to hear if the Vista machine is next

  2. Eagles Lair commented on 2008-03-28 @ 14:54

    Maybe they oughta install Safari on the other two machines, just to make it a bit more equal. But as BetaNews reported "Safari's license agreement still prohibits installs on computers that aren't "Apple-labeled." even though Apple is pushing it to Windows boxes in an iTunes update. It's a perfect storm!

  3. Erik commented on 2008-03-28 @ 15:35

    Hmm... I don't know...
    There is too many linux software that is in alpha/beta stage... More likely to find an exploit there with all the open source... I fear that the Ubuntu laptop will be the next one.
    It is, of course, hard to make equal rules for all systems, e.g. messenger in Vista supports only one protocol compared to a dozen in Ubuntu's pidgin.
    But, let us wait and see...

  4. indigo196 commented on 2008-03-28 @ 23:42

    Was the Vista box Vista32 or Vista64?

  5. ZDI commented on 2008-03-28 @ 23:49

    32 bit

  6. Anonymous commented on 2008-03-29 @ 06:00

    @Erik

    There is too many linux software that is in alpha/beta stage... More likely to find an exploit there with all the open source... I fear that the Ubuntu laptop will be the next one.

    It has to be next one. It is the last one standing.
    Also, the beta quality software in the linux world does not mean the same thing when the term is used by a marketeer instead of a programmer.

    Firstly, because it is open source, its much easier to find exploits and fix them. For example the american DoD runs most of its stuff on linux. They verify the parts they use (i assume they strip everything else from those servers) and supply patches if they find any exploits. So, the core operating system and networking code is likely the most safe and best maintained out there.

    The same could possible not be said for desktop applications, but if they get compromized they still would not be able to take over the machiene, since the design is different.

    This is even true, to some extent, for Vista nowadays. Where being able to execute random code on the user's account does not mean they are, for example, able to install a rootkit.

    It has to do with the history of these OS's. Linux started out as a server focused operating system, which gradually added more and more desktop like functionality. Windows started out as a desktop operating system which gradually added networking and server support. Because of backwards compatibility, some design choices in Linux aren't optimal for the desktop, whereas some design choices in Windows aren't optimal (read: safe) for the server. When microsoft took the first step in fixing those design issues, a lot of 3rd party software stopped working. Which is one of the reasons people dislike Vista so much. They can't seem to understand that you can't have your cake and it eat it too.

  7. Jake commented on 2008-03-29 @ 10:24

    The rules state that a successful exploit requires code execution allowing a specific (pre-designated) file to be read. Was this file in the user's home directory (or My Documents), or somewhere else, such as root's home dir? What I'm getting at is, are we talking about user-level access or user-level + privilege escalation?

  8. Jay commented on 2008-03-29 @ 10:44

    You are right: The fact that linux is Open Source makes it easier to find bugs. But not only for the contestants ;). It's the same for the programmers in the open source community - I believe that most of the open source software is better tested and more secure than proprietary software.

    Considering that a Ubuntu by standard does not allow a root (admin) account, it is going to be hard to take over the computer by a rootkit or something similar. The only place touchable would be the user's home folder. To modify the system or install software, the root password would be required.

    I'm not saying it is impossible but it will be tricky.
    Good luck to the contestants :)

  9. Anonymous commented on 2008-03-29 @ 10:49

    Did you realize that the guys "cracking" the Vista laptop are using Mac's? Despite the fact that this was the first OS to go down...

  10. Anonymous commented on 2008-03-29 @ 11:12

    Ummm... the black laptop in the middle of the first photo looks suspiciously like an IBM Thinkpad. Time for the fanboys to wish up another irrelevant point for the defense of 'enter_your_OS_of_choice'.

    RE: "Did you realize that the guys "cracking" the Vista laptop are using Mac's? Despite the fact that this was the first OS to go down..."

  11. Anonymous commented on 2008-03-29 @ 11:19

    That nonsense about most software in the Linux world being mostly alpha/beta, well sorry, but I call shenanigans. Yes there is software that is alpha/beta. But I guarantee you it's not on production use distro's. Quite honestly I have used alpha/beta open source software that was better than commercial software. It just depends.

    Oh and that stuff about linux being created for servers is bs too. "In 1990 he purchased an Intel 80386-based IBM PC and spent a few weeks playing the game Prince of Persia before receiving his MINIX copy which in turn enabled him to begin his work on Linux." (http://en.wikipedia.org/wiki/Linus_Torvalds) It was never "designed" to be a server OS, it was never "designed" to be a desktop OS. It was just made to tickle someone's fancy. There was no specific goal in mind when Linus started. He didn't care if it ran on your laptop, server, mainframe, phone, dvr, watch, desktop, etc. Most all of the ports to other architectures and things came from third party contributors. As did most of the kernel itself. It was made for whatever anyone wanted it to be made for. Linus didn't put in Real-Time patches into the kernel. Contributors did. If someone wants it to do something, then they just do it. It's all there waiting to be changed to anyone's hearts desire.

  12. Craig Huffstetler commented on 2008-03-29 @ 11:33

    What other applications were installed on the machines besides the base operation system? Obviously, Adobe Flash was ;-) What else?

    I think in all fairness, maybe BASE OPERATING system should have been the main factor in this event (and not other programs installed, unless this was just "normal user activity" and this was the pattern you were examining in the contest).

    Can you release a list of programs installed before/during the contest besides the base operating system? Perhaps even the Service Packs/updates (if any at all)? This information would be interesting to see.

    - CH

  13. Anonymous commented on 2008-03-29 @ 11:39

    well, do you see anyone using it? ;-)

    RE: "Ummm... the black laptop in the middle of the first photo looks suspiciously like an IBM Thinkpad. Time for the fanboys to wish up another irrelevant point for the defense of 'enter_your_OS_of_choice'."

  14. Erik commented on 2008-03-29 @ 12:07

    Well, I am glad I was wrong then... Congrats to Ubuntu creators for making a rather unshakable distro!

  15. Anonymous commented on 2008-03-29 @ 14:20

    Not sure how this is a contest about the security of the various OS/s anymore.... Apple - sure - it was their browser on their OS that caused the problems...

    But Adobe screwing up Windows? How's that Microsoft's fault? How does that prove that Ubuntu is supposedly the better OS? Anyone can write malware (whether intentionally or accidentally) and get people to install it...

  16. Theli commented on 2008-03-29 @ 17:29

    "But Adobe screwing up Windows? How's that Microsoft's fault? How does that prove that Ubuntu is supposedly the better OS? Anyone can write malware (whether intentionally or accidentally) and get people to install it..."

    That's probably why the software had to be "popular" so they couldn't just install anything they wanted.
    And 3rd party software on Ubuntu is mostly installed through package managers using repositories managed by Linux distributers (Canonical, Debian Project), while Windows software is most often installed through installers downloaded from websites. So, in terms of secure sources of software I think Ubuntu has the upper hand.

  17. Stas commented on 2008-03-29 @ 18:57

    "But Adobe screwing up Windows? How's that Microsoft's fault?"
    Why it shouldn't be? Adobe also provides flash plugin for Ubuntu applications, so why the same couldn't be exploited on it? It's all about OS and how it uses third party provided software. This is where Windows sucks!

    And btw, guys from dvlabs, can't you moderate a bit all of this comments? Why do we have to read the same opinions repeated 5 more times?!
    :-/

    Anyway congrats for such a nice event!

  18. jabber commented on 2008-03-29 @ 20:51

    "And 3rd party software on Ubuntu is mostly installed through package managers using repositories managed by Linux distributers (Canonical, Debian Project), "

    Um Theli, they cracked Vista not through the installation of Adobe Flash but an exploit in adobe flash.

    Since Adobe makes Flash for Linux as well, I'm wondering if hacking a machine with known exploits is not allowed. So if one system is hacked, they cannot use the same exploit on the other?

    If this is the case, maybe it was just Adobe that was hacked just like quicktime has gaping holes on any OS.

    Anyone know the rules ??

  19. Anonymous commented on 2008-03-30 @ 02:44

    @Jay

    "[...]

    Considering that a Ubuntu by standard does not allow a root (admin) account, it is going to be hard to take over the computer by a rootkit or something similar. The only place touchable would be the user's home folder. To modify the system or install software, the root password would be required.

    [...]"

    Hmm, so the root password is required to install software in Ubuntu?! And you are sure about that?

    And what is so tricky about 'sudo passwd' to activate the root account?

  20. jstacat commented on 2008-03-30 @ 08:56

    Interesting that flash became a 'trojan'
    I'd noticed in the past 2 weeks that flash was giving problems on my machine [some type of overflow] so i banned it from my machines 2 wks ago.

    This is just another in a long list of flash problems. Flash is not suitible for operating a website yet.
    one problem is that it asserts itself in browser process before the user can input a choice.. and thats probably the basis of the hack.

  21. Anonymous commented on 2008-03-30 @ 23:23

    Linux is rough. No wonder it couldn't be cracked. Any hacker who messes with Linux, probably messes with Debian. If they're going after some big guy, they'll mess with Red Hat or SuSE. Because every distro is different, saying Linux was left is a misnomer. Ubuntu 7.10 was left. I wonder how much time they spent cracking it? Any at all? I've run that distro and it's hell to get anything integrated. Just try installing Acrobat and view PDF files. It's misery compared to Vista or OS X.

  22. Francisco commented on 2008-03-31 @ 05:55

    The guys hacking Vista's laptop are indeed using Mac's.
    But do you know what O.S are they running. I don't really know, but it could be any O.S.

  23. Ian Boyd commented on 2008-03-31 @ 06:30

    Assuming they had a user browse to some custom flash content: they managed to elevated out of ie7 protected, and also elevate to administrative privilege without the user knowing?

    Or did they manage simply to execute arbitrary code as the restricted user?

  24. sigsegv commented on 2008-03-31 @ 07:07

    "Considering that a Ubuntu by standard does not allow a root (admin) account, it is going to be hard to take over the computer by a rootkit or something similar. The only place touchable would be the user's home folder. To modify the system or install software, the root password would be required." -- Jay

    Taking over a box with a rootkit eh? I think somebody has their technologies confused... ;)

    Oh, and for the record, I know of a number of vulnerabilities that are Debian/Ubuntu specific.

    People probably found vulns in the Ubuntu laptop; they just didn't feel like going through the effort to get a working PoC for the contest. The contest didn't exactly offer high prices for the 0days.

  25. ron commented on 2008-03-31 @ 07:20

    "But Adobe screwing up Windows? How's that Microsoft's fault?"

    It's fair game. Which would you rather have? A rock solid OS where any clumsy 3rd party software exploit could turn it into a spam spewing zombie that also sends along your financial records. Or a rock solid OS that prevents that 3rd party software from grabbing control of your internet or reading your personal data.

  26. commonsense commented on 2008-03-31 @ 09:58

    quote=Anonymous commented on 2008-03-29 @ 14:20
    "Not sure how this is a contest about the security of the various OS/s anymore.... Apple - sure - it was their browser on their OS that caused the problems...

    But Adobe screwing up Windows? How's that Microsoft's fault? How does that prove that Ubuntu is supposedly the better OS? Anyone can write malware (whether intentionally or accidentally) and get people to install it..."

    this is very much the point of OS security. Because it will never live in a vaccuum the system by design should be protected from user-level code software. Windows has no such protection, i.e. any 'user' can install software that rewrites system level .dll files but in linux this is generally not allowed - unless you're root and reinstalling system level libraries.

    additionally, windows makes no distinction between who is executing code, linux does. this adds another layer of protection from malicious code.

  27. Anonymous commented on 2008-03-31 @ 10:07

    [But Adobe screwing up Windows? How's that Microsoft's fault? How does that prove that Ubuntu is supposedly the better OS? Anyone can write malware (whether intentionally or accidentally) and get people to install it...]

    It's Microsoft's fault because if the OS was properly written the malware applications wouldn't be able to compromise it.

  28. Anonymous commented on 2008-03-31 @ 13:08

    That nonsense about most software in the Linux world
    being mostly alpha/beta, well sorry, but I call
    shenanigans. Yes there is software that is alpha/beta.
    But I guarantee you it's not on production use distro's.
    Quite honestly I have used alpha/beta open source
    software that was better than commercial software. It
    just depends.

    Well, its kinda true, not that much software has reached version 1, which should be the "feature complete" stage. so technically it is beta in that sense, not in the stability side.

    Ummm... the black laptop in the middle of the first photo
    looks suspiciously like an IBM Thinkpad. Time for the
    fanboys to wish up another irrelevant point for the
    defense of 'enter_your_OS_of_choice'.

    Count: 2 macs (one on table, one on lap) and 1 thinkpad. The apple has already been hacked so they gotta be the tools.




  29. Rob D commented on 2008-03-31 @ 13:42

    What does an Ubuntu install consist of? Just the operating system? Both MacOS 10.x and Vista contain other software such as web browsers mail clients etc. Does that not make these systems more vulnerable out of the box?

    What is the default access for these systems. Admin, user etc? How do they compare. Would a future set up include all default access as user only, if they were not all the same?

  30. Jaqui commented on 2008-03-31 @ 20:25

    These results surprise me.
    I would have expected the Windows system to go down first.

    What's really surprising though, is that the least secure Linux distro didn't go down.
    Cannonical made a critical error by not requiring a root password with their distros. Until they change that so that root must have a password, and tht password must be different than the user password, Ubuntu, Kubuntu, ... are not secure enough for any corporate use.
    [ Windows is designed strictly for home use anyway, so it's lack of security is normal. ]

  31. Alexander Sotirov commented on 2008-04-01 @ 01:52

    One of the previous comments said:

    Did you realize that the guys "cracking" the Vista laptop are using Mac's? Despite
    the fact that this was the first OS to go down...

    Both Shane and I are running Vista on our MacBooks :-)

  32. ssuuddoo commented on 2008-04-04 @ 03:28

    RE: Rob D commented on 2008-03-31 @ 13:42
    Ubuntu has more applications preinstalled in the default system. Has a complete Office suite, IM for almost all networks, network tools, burning tools (that work inspite of the one in Win) and tens more than that. So from this point of view it would make ubuntu even more vulnerable.

  33. randy commented on 2008-04-04 @ 11:49

    [QUOTE sigsegv] People probably found vulns in the Ubuntu laptop; they just didn't feel like going through the effort to get a working PoC for the contest. The contest didn't exactly offer high prices for the 0days.[end of QUOTE]

    Hahahaha. That was funny. Seems like you are saying that hacking the Ubuntu Linux wasn't worth the money.

    On the same note, that would mean it is harder, not easier to hack.

    Or do you think, because nobody showed up that could operate Linux?

    My Question to ZDI, Did anyone attempt to hack the Ubuntu system?

  34. Sam Bull commented on 2008-04-04 @ 19:00

    "What does an Ubuntu install consist of? Just the operating system? Both MacOS 10.x and Vista contain other software such as web browsers mail clients etc. Does that not make these systems more vulnerable out of the box?"

    Ubuntu is a complete OS, of course it contains a web browser (Firefox), email client (Evolution) etc. (I'm using them now :P)

    "I wonder how much time they spent cracking it? Any at all? I've run that distro and it's hell to get anything integrated. Just try installing Acrobat and view PDF files."

    Acrobat is a Windows program, if you mean Adobe Reader, why would you want to use that? The default pdf viewer in Ubuntu (oh, there's a program that Windows doesn't bother to include by default, maybe Ubuntu has more programs than Windows...) is simple to use, and less resource intensive, I don't see any reason to use Adobe Reader.

  35. Mitch 74 commented on 2008-05-05 @ 15:58

    Well, I'd just mention in passing that a version of Flash is provided with Windows; essentially, installing the latest version of Flash is actually a MS-distributed patch (and it appears as such in Add/Remove Softwares).
    So, exploiting Flash on Windows is indeed attacking MS's core OS right off the install CD+patches and SPs; it couldn't have worked with Ubuntu (Flash not installed and not accessible by default).
    Actually, gaining user account access from remote is not that difficult: social engineering will do that. However, going from user to root level is another piece of a challenge: you need to either compromise the kernel (good luck), or a daemon running with root authorizations (most don't by design, or are developed as part of the kernel or close to it).
    In short: Flash could trash MacOS, and Windows; Safari could trash Windows if installed (but it's not default), and surely MacOS; not Ubuntu (it doesn't exist). Doing that with Firefox (available for all three) or Konqueror wouldn't help: they run as userspace software.

    Depending on the hardware, you could hit the X server; however, even then, Ubuntu only ships with safe drivers (user space only for nv, or scrutinized DRI/DRM modules for Ati and Intel), so...

    No, frankly, breaking open a fresh Linux desktop is no walk in the park.

  36. Kyle commented on 2008-07-17 @ 14:39

    I know that Ubuntu stayed and I don't think it was attacked, but does anyone know the answer to this question. Since the rules stated that only the essentials to make the system compatable with the computer, like cd before disk on bios, is allowed and all else must be defaults, is iptables up and running on the Ubuntu, kuz it has to be started by downloading and running firestarter?


Trackback