Topic: Operating Systems

Safari/MacBook first to fall at Pwn2Own 2011

Summary: A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge.

By Ryan Naraine for Zero Day | March 9, 2011 -- 15:56 GMT (07:56 PST)

Follow @ryanaraine

VANCOUVER -- A team of security researchers from the French pen-testing firm VUPEN successfully exploited a zero-day flaw in Apple's Safari browser to win this year's Pwn2Own hacker challenge.

VUPEN co-founder Chaouki Bekrar (right) lured a target MacBook to a specially rigged website and successfully launched a calculator on the compromised machine.

The hijacked machine was running a fully patched version of Mac OS X (64-bit).

In an interview with ZDNet, Bekrar said the vulnerability exists in WebKit, the open-source browser rendering engine. A three-man team of researchers spent about two weeks to find the vulnerability (using fuzzers) and writing a reliable exploit.

VUPEN won a $15,000 cash prize and an Apple MacBook Air 13" running Mac OS X Snow Leopard.

Bekrar said the Safari exploit was "somewhat difficult" because of the lack of documentation regarding 64-bit Mac OS X exploitation. "We had to do everything from scratch. We had to create a debugging tool, create the shellcode and create the ROP (return oriented programming) technique," he explained.

"The main difficulty was doing this on our own, without the help of any documentation," he said.

[ SEE: Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches ]

He said the creation of a reliable exploit was "much more difficult" than finding the vulnerability.

follow Ryan Naraine on twitter

"There are many WebKit vulnerabilities. You can run a fuzzer and get lots of good results. But it's much more difficult to exploit it on x64 and to make your exploit very reliable," he said.

Bekrar's winning exploit did not even crash the browser after exploitation. Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser.

[ SEE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities ]

The exploit bypassed ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two key anti-exploit mitigations built into Mac OS X.

"The victim visits a web page, he gets owned. No other interaction is needed."

Bekrar said VUPEN plans to hit Internet Explorer 8 on 64-bit Windows 7 (SP1) later in the contest.

Topics: Operating Systems, Apple, CXO, Hardware, Laptops, Mobility, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

133 comments

Log in or register to join the discussion

RE: Safari/MacBook first to fall at Pwn2Own 2011

Pretty impressive!

kenosha77a
9 March, 2011 16:12

Reply Vote
- See what happens when using FOSS
 
 ... engine in your code. Cheap means low quality, always does.
 
 LBiege
 9 March, 2011 17:49
 
 Reply Vote
 - RE: Safari/MacBook first to fall at Pwn2Own 2011
 
 @LBiege hmm..you know, you're right! No more FOSS for me.
 
 willyampz
 9 March, 2011 18:26
 
 Reply Vote
 - RE: Safari/MacBook first to fall at Pwn2Own 2011
 
 @LBiege You mean cheap as in 'free', like IE?
 
 anothercanuck
 9 March, 2011 21:11
 
 Reply Vote
 - RE: Safari/MacBook first to fall at Pwn2Own 2011
 
 @LBiege
 Chrome is based on Webkit too, and Gecko in Firefox is open source as well. Both are FOSS, and still standing after day 1. Both Safari and IE8 are proprietary software and got Pwned. So maybe the problem is with poor implementations of code(whether based on FOSS or closed source) and not with FOSS.
 
 balaknair
 10 March, 2011 09:17
 
 Reply Vote
 - Explain all the IE flaws
 
 @LBiege I'll be waiting with baited breath
 
 quesomal
 10 March, 2011 21:07
 
 Reply Vote
- Here's what would be useful.
 
 @kenosha7777
 
 1. Record the trends in time and effort required to exploit each OS from year to year. Is OS security improving as anticipated with the move to 64 bit?
 
 2. Include Windows XP in the contest. All those XP advocates wouldn't want to be slighted, right?
 
 Lester Young
 10 March, 2011 21:49
 
 Reply Vote
 - RE: Safari/MacBook first to fall at Pwn2Own 2011
 
 @Lester Young This points out that apple mac isn't perfect. People have the false misconception that apple macs do not get viruses because they are better programmed, when actually it is that they are less of a target than microsoft. As Bekrar mentioned here, it was difficult because of the lack of information which supports what I said. I also look forward to the results of them trying this on the IE 8 on windows too. I am sure it will be a lot simpler due to the wealth of information available. 
 
 W35dy
 7 November, 2011 11:39
 
 Reply Vote
- RE: Safari/MacBook first to fall at Pwn2Own 2011
 
 @kenosha7777 Yes it is:) Best stuff i've seen in my life, we use it for <a href="http://www.magentowebshop.nu">magento</a> development.
 
 marc56
 27 September, 2011 08:49
 
 Reply Vote
RE: Safari/MacBook first to fall at Pwn2Own 2011

No surprises here. Worst security out there.

Droid101
9 March, 2011 16:13

Reply Vote
- Nope.
 
 @Droid101
 
 Best hardware.
 
 They give away a free machine to the first person who hacks it. Everyone goes for the Macs first, because they all want one.
 
 RationalGuy
 9 March, 2011 16:49
 
 Reply Vote
 - Though I believe many may tell themselves that as an excuse
 
 @RationalGuy
 No one actually believes that.
 :|
 
 Tim Cook
 9 March, 2011 16:54
 
 Reply Vote
 - well he says he has a Win7 exploit in his back pocket..
 
 @RationalGuy... so why did he go for the MacOS exploit first?
 
 doctorSpoc
 9 March, 2011 17:06
 
 Reply Vote
 - You'll get no answer from Mister Spock
 
 Because he doesn't have one.
 
 cat o nine tails
 9 March, 2011 17:18
 
 Reply Vote
 - RE: Safari/MacBook first to fall at Pwn2Own 2011
 
 @RationalGuy
 What?s even funnier is: Even though they went after OS X and Safari first, Windows 7 and IE got hacked faster.
 Within five seconds of surfing to the rigged site, he successfully launched the calculator app and wrote a file on the disk without crashing the browser.
 
 Using the target machine, he clicked on a link and immediately launched the calculator app (calc.exe). He was also required to write to a file to prove that he got out of the low integrity mode. This proved that he got full user access to the hijackedmachine.
 
 Rick_K
 9 March, 2011 17:50
 
 Reply Vote
 - How do you know this?
 
 @Rick_K: Whats even funnier is: Even though they went after OS X and Safari first, Windows 7 and IE got hacked faster.
 
 ye
 9 March, 2011 19:26
 
 Reply Vote
 - RE: Safari/MacBook first to fall at Pwn2Own 2011
 
 @RationalGuy dude, the last two years they broke into the Macs within an average of like 1 minute and 20 seconds... by contrast the PC was standing for several hours and they were all being attacked.
 
 slickjim
 9 March, 2011 20:06
 
 Reply Vote
 - RE: Safari/MacBook first to fall at Pwn2Own 2011
 
 @doctorSpoc why did they go after macs first? Cause it is the easiest to exploit. This is coming from a Linux user.
 
 topgun966
 10 March, 2011 02:52
 
 Reply Vote
 - RE: Safari/MacBook first to fall at Pwn2Own 2011
 
 @ye
 Well if the guy that hacked Windows 7 SP1 and IE won the $15,000 that would mean he hacked it faster. Simple logic says that the winner is the one that gained fastest access to the fully patched machine.
 For his efforts, Fewer won a $15,000 cash prize and a new Windows laptop.
 
 http://www.zdnet.com/blog/security/pwn2own-2011-ie8-on-windows-7-hijacked-with-3-vulnerabilities/8367
 
 Or did you not read that part?
 
 Rick_K
 10 March, 2011 03:05
 
 Reply Vote
 - Yes, I read it. And?
 
 @Rick_K: [i]Well if the guy that hacked Windows 7 SP1 and IE won the $15,000 that would mean he hacked it faster.[/i]
 
 How so?
 
 ye
 10 March, 2011 04:37
 
 Reply Vote