iPhone, Safari, IE 8, Firefox hacked in contest
VANCOUVER, B.C.--Researchers on Wednesday demonstrated that they could hack a non-jailbroken iPhone, Safari running on Snow Leopard and Internet Explorer 8 and Firefox on Windows 7 as part of the annual Pwn2Own contest at the CanSecWest security show here.
Charlie Miller, principal security analyst at Independent Security Evaluators, won US$10,000 after hacking Safari on a MacBook Pro without having physical access to the machine. Miller won US$5,000 last year by exploiting a hole in Safari, and in 2008 nabbed US$10,000 hacking a MacBook Air, all on the same computer.
Peter Vreugdenhil, an independent security researcher from the Netherlands, will receive US$10,000 for using his exploit to bypass security features in IE 8.
Also winning US$10,000 was Nils, head of research at UK-based MWR InfoSecurity, who targeted Firefox. He declined to provide his last name. As a computer science student at the University of Oldenburg in Germany last year he won US$15,000 for exploits he demonstrated in IE 8, Safari, and Firefox.
And finally, Ralf Philipp Weinmann, of the University of Luxembourg, and Vincenzo Iozzo, of German company Zynamics, hacked the iPhone and will share the US$15,000 prize. Because Iozzo was delayed en route to the contest, his Zynamics colleague Thomas Dullien, better known as Halvar Flake in the security community, served as his proxy, organizers of the contest sponsored by TippingPoint's Zero Day Initiative said.
Miller declined to provide details on his exploit, but said the target computer was compromised after visiting a Web site hosting the malicious code.
"I got an interactive shell (interface) on his box so I could run any commands I want," he said. "He had no idea and his machine was totally patched."
Miller wrote the exploit in less than a week. "It was very reliable," he said. "Some researchers say it's 'weaponized,' which means it always works."
To hack IE 8, Vreugdenhil said he exploited two vulnerabilities in a four-part attack that involved bypassing ASLR (Address Space Layout Randomization) and evading DEP (Date Execution Prevention), which are designed to help stop attacks on the browser. As in the other attacks, the system was compromised when the browser visited a Web site hosting the attack code.
The exploit gave him user rights on the targeted computer, which he demonstrated by running the calculator on the machine.
Nils said he exploited a memory corruption vulnerability and also had to bypass ASLR and DEP as a result of a weakness in Mozilla's implementation. "It's Mozilla's turn to fix this," he said. "If properly used, they can be good mitigators."
He said it took him only a few days to write the exploit, which was created to run the Windows calculator for the demo. But "I could have started any process," he said.
Asked to comment on the researchers' ability to bypass ASLR and DEP, a Microsoft representative said the company would investigate the vulnerabilities. "We're not aware right now of any attacks taking place," said Pete LePage, an IE product manager.
For the iPhone contest, Iozzo and Weinmann wrote an exploit in about two weeks that was designed to steal the contents of the SMS database on an iPhone.
To accomplish the attack the target iPhone was used to visit a Web site hosting exploit code. "The payload executes and uploads the local SMS database of the phone to the server we control," said Weinmann.
The exploit was written to bypass the digital code signatures used on the iPhone to verify that the code in memory is from Apple, he said. The exploit then looked for chunks in Apple's code that could be pieced together to accomplish the attack, according to Weinmann.
"Bypassing the code signing was a major issue," Flake said. The technique used has been known since 1997 but has not been used on an ARM processor until now, he added.
While the attack was used to grab just the SMS data, which would include deleted messages, it could be designed to access contacts, photos, and other data on the iPhone, and without the user having any idea an attack was underway, the researchers said.
TippingPoint shares information on the exploits with the affected vendors so they can work on patches.
This article was first published as a blog post on CNET News.