Safari/MacBook first to fall at Pwn2Own 2011

Safari/MacBook first to fall at Pwn2Own 2011

Summary: A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge.

SHARE:

VANCOUVER -- A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge.

VUPEN co-founder Chaouki Bekrar (right) lured a target MacBook to a specially rigged website and successfully launched a calculator on the compromised machine.

The hijacked machine was running a fully patched version of Mac OS X (64-bit).

In an interview with ZDNet, Bekrar said the vulnerability exists in WebKit, the open-source browser rendering engine.   A three-man team of researchers spent about two weeks to find the vulnerability (using fuzzers) and writing a reliable exploit.

VUPEN won a $15,000 cash prize and an Apple MacBook Air 13" running Mac OS X Snow Leopard.

Bekrar said the Safari exploit was "somewhat difficult" because of the lack of documentation regarding 64-bit Mac OS X exploitation.  "We had to do everything from scratch. We had to create a debugging tool, create the shellcode and create the ROP (return oriented programming) technique," he explained.

"The main difficulty was doing this on our own, without the help of any documentation," he said.

[ SEE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches ]

He said the creation of a reliable exploit was "much more difficult" than finding the vulnerability.

follow Ryan Naraine on twitter

"There are many WebKit vulnerabilities.  You can run a fuzzer and get lots of good results.  But it's much more difficult to exploit it on x64 and to make your exploit very reliable," he said.

Bekrar's winning exploit did not even crash the browser after exploitation.   Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser.

[ SEE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities ]

The exploit bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X.

"The victim visits a web page, he gets owned.  No other interaction is needed."

Bekrar said VUPEN plans to hit Internet Explorer 8 on 64-bit Windows 7 (SP1) later in the contest.

Topics: Operating Systems, Apple, CXO, Hardware, Laptops, Mobility, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

133 comments
Log in or register to join the discussion
  • RE: Safari/MacBook first to fall at Pwn2Own 2011

    Pretty impressive!
    kenosha77a
    • See what happens when using FOSS

      ... engine in your code. Cheap means low quality, always does.
      LBiege
      • RE: Safari/MacBook first to fall at Pwn2Own 2011

        @LBiege hmm..you know, you're right! No more FOSS for me.
        deathjazz
      • RE: Safari/MacBook first to fall at Pwn2Own 2011

        @LBiege You mean cheap as in 'free', like IE?
        anothercanuck
      • RE: Safari/MacBook first to fall at Pwn2Own 2011

        @LBiege
        Chrome is based on Webkit too, and Gecko in Firefox is open source as well. Both are FOSS, and still standing after day 1. Both Safari and IE8 are proprietary software and got Pwned. So maybe the problem is with poor implementations of code(whether based on FOSS or closed source) and not with FOSS.
        balaknair
      • Explain all the IE flaws

        @LBiege I'll be waiting with baited breath
        quesomal
    • Here's what would be useful.

      @kenosha7777

      1. Record the trends in time and effort required to exploit each OS from year to year. Is OS security improving as anticipated with the move to 64 bit?

      2. Include Windows XP in the contest. All those XP advocates wouldn't want to be slighted, right?
      Lester Young
      • RE: Safari/MacBook first to fall at Pwn2Own 2011

        @Lester Young <br><br>This points out that apple mac isn't perfect. People have the false misconception that apple macs do not get viruses because they are better programmed, when actually it is that they are less of a target than microsoft. As Bekrar mentioned here, it was difficult because of the lack of information which supports what I said. I also look forward to the results of them trying this on the IE 8 on windows too. I am sure it will be a lot simpler due to the wealth of information available.<br>
        W35dy
    • RE: Safari/MacBook first to fall at Pwn2Own 2011

      @kenosha7777 Yes it is:) Best stuff i've seen in my life, we use it for <a href="http://www.magentowebshop.nu">magento</a> development.
      marc56
  • RE: Safari/MacBook first to fall at Pwn2Own 2011

    No surprises here. Worst security out there.
    Droid101
    • Nope.

      @Droid101

      Best hardware.

      They give away a free machine to the first person who hacks it. Everyone goes for the Macs first, because they all want one.
      RationalGuy
      • Though I believe many may tell themselves that as an excuse

        @RationalGuy
        No one actually believes that.
        :|
        Tim Cook
      • well he says he has a Win7 exploit in his back pocket..

        @RationalGuy... so why did he go for the MacOS exploit first?
        doctorSpoc
      • You'll get no answer from Mister Spock

        Because he doesn't have one.
        cat o nine tails
      • RE: Safari/MacBook first to fall at Pwn2Own 2011

        @RationalGuy
        What?s even funnier is: Even though they went after OS X and Safari first, Windows 7 and IE got hacked faster.
        <i>Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser.</i>

        <i>Using the target machine, he clicked on a link and <b>immediately</b> launched the calculator app (calc.exe). He was also required to write to a file to prove that he got out of the low integrity mode. This proved that he got full user access to the hijacked</i>machine.
        Rick_K
      • How do you know this?

        @Rick_K: <i>Whats even funnier is: Even though they went after OS X and Safari first, Windows 7 and IE got hacked faster.</i>
        ye
      • RE: Safari/MacBook first to fall at Pwn2Own 2011

        @RationalGuy dude, the last two years they broke into the Macs within an average of like 1 minute and 20 seconds... by contrast the PC was standing for several hours and they were all being attacked.
        slickjim
      • RE: Safari/MacBook first to fall at Pwn2Own 2011

        @doctorSpoc why did they go after macs first? Cause it is the easiest to exploit. This is coming from a Linux user.
        topgun966
      • RE: Safari/MacBook first to fall at Pwn2Own 2011

        @ye
        Well if the guy that hacked Windows 7 SP1 and IE won the $15,000 that would mean he hacked it faster. Simple logic says that the winner is the one that gained fastest access to the fully patched machine.
        <i>For his efforts, Fewer won a $15,000 cash prize and a new Windows laptop.</i>

        http://www.zdnet.com/blog/security/pwn2own-2011-ie8-on-windows-7-hijacked-with-3-vulnerabilities/8367

        Or did you not read that part?
        Rick_K
      • Yes, I read it. And?

        @Rick_K: [i]Well if the guy that hacked Windows 7 SP1 and IE won the $15,000 that would mean he hacked it faster.[/i]

        How so?
        ye