backtop


Print 30 comment(s) - last by jimhsu.. on Mar 28 at 9:53 PM


Charlie Miller pwned yet another Mac computer at CanSecWest. He says Macs are easier to hack than Windows 7 computers.  (Source: ZDNet)

Peter Vreugdenhil managed to hack a patched 64-bit Windows 7 machine using tricks to bypass the operating system's memory protections.  (Source: ZDNet)
Safari on a Mac and Internet Explorer 8 in Windows 7 were also exploited

It's been an action-packed couple of days of Pwn2Own hacking contests at the CanSecWest security conference in Vancouver.  Hackers eroded Apple's image of superior security, making quick work of both Microsoft and Apple products alike.

The fireworks began with an iPhone exploit coded primarily by Vincenzo Iozzo and Ralf Philipp Weinmann.  The exploit works on fully patched iPhone 3GS (and presumably other models).  It allows a malicious user to lure a target to a website and then steal any or all of the following -- the person's SMS text database (including deleted messages), their contacts, pictures, and iTunes music files.

Describes Iozzo, "Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control."

Halvar Flake also helped the pair develop the exploit.  He says that the iPhone's sandbox protections don't do enough to protect the user fully.  He states, "This exploit doesn’t get out of the iPhone sandbox.  Apple has pretty good counter-measures but they are clearly not enough. The way they implement code-signing is too lenient."

He posts more details on a blog here.  

The exploit currently crashes the browser, but the collaborators are planning a version that allows the browser to keep running.  They sold the rights to the vulnerability to TippingPoint Zero Day Initiative, which is in turn working with Apple to come up with a patch.

Iozzo and Winmann scored the iPhone 3GS they hacked and a $15,000 cash prize.

That wasn't the only Apple product exploited -- as promised, Charlie Miller successfully hacked a Mac computer for the third year in the row.  Conference organizers navigated to a prepared webpage which downloaded content without informing the user.  That download was used by Miller to gain root access to the machine.

Miller is a champion of a hacking/testing technique known as fuzzing.  Fuzzers throw random inputs  such as environment variables, keyboard and mouse events, and sequences of API calls to try to get a program to do something it doesn't usually do (like compromise its security).

For his efforts Miller scored another MacBook Pro (though he probably doesn't need it).  He's cooperating with Apple on a patch and won't release details of the vulnerability until it lands.

Apple wasn't the only OS maker to have their products hacked, though.  Windows 7's much celebrated memory protections were cracked.

Dutch hacker Peter Vreugdenhil infiltrated a fully patched Windows 7 64-bit machine by bypassing the ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) memory protections.  With the protections down Vreugdenhil used Internet Explorer 8 exploits to hijack the machine.  

Vreugdenhil is also a proponent of fuzzing to discover exploits.  He describes, "I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass.  I specifically looking through my fuzzing logs for a bug like this because I could use it to do the ASLR bypass."

IE team members were on hand to witness the feat.  They said that they are working with conference organizers to determine the nature of the vulnerability and make a patch to protect against it.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By crystal clear on 3/27/2010 2:28:29 AM , Rating: 4
Charlie Miller won't hand over 20 flaws he found by fuzzing Mac OS, Office, Adobe Reader

The only researcher to "three-peat" at the Pwn2Own hacking contest said today that security is such a "broken record" that he won't hand over 20 vulnerabilities he's found in Apple's, Adobe's and Microsoft's software.

Instead Charlie Miller will show the vendors how to find the bugs themselves .

"We find a bug, they patch it," said Miller. "We find another bug, they patch it. That doesn't improve the security of the product. True, [the software] gets incrementally better, but they actually need to make big improvements. But I can't make them do that."

"People will criticize me and say I'm a bad guy for not handing over [the vulnerabilities], but it actually makes more sense to me to not tell them," Miller said. "What I can do is tell them how to find these bugs, and do what I did. That might get them to do more fuzzing." That, Miller maintained, would mean more secure software.

"Maybe some will say I'm bragging about finding the bugs, that I can kick ass, but I wasn't that smart. I did the trivial work and I still found bugs."

He went into the project figuring that he wouldn't find any vulnerabilities with the dumb fuzzer. "But I found bugs, lots of bugs. That was both surprising and disappointing."

And it also made him ask why vendors like Microsoft, Apple and Adobe, which have teams of security engineers and scores of machines running fuzzers looking for flaws, hadn't found these bugs long ago .

One researcher with three computers shouldn't be able to do beat the efforts of entire teams, Miller argued. "It doesn't mean that they don't do [fuzzing], but that they don't do it very well."

By refusing to hand over technical information about the vulnerabilities he uncovered , Miller is betting that Microsoft, Apple and others will duplicate his work, and maybe, just maybe, be motivated to do better . "I think they'll feel some pressure to find these bugs," he said.

http://www.computerworld.com/s/article/9174120/Pwn...





"This is from the DailyTech.com. It's a science website." -- Rush Limbaugh














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki