Conference's Mac Hack contest a three-way race this year.
by Bob McMillan, Security Blanket
Tue, 2008-03-18 07:18
Topic(s):

Organizers of the CanSecWest conference happening in Vancouver next week have re-introduced their Mack Hack contest. Only this year, it's a three-way race. Here are the rules, as explained by Dragos Rui, the conference's organizer.

Announcing CanSecWest PWN2OWN 2008.
===================================

Three targets, all patched.  All in typical client configurations with
typical user configurations.  You hack it, you get to keep it.

Each has a file on them and it contains the instructions and how to
claim the prize.

Targets (typical road-warrior clients):

         VAIO VGN-TZ37CN running Ubuntu 7.10
         Fujitsu U810 running Vista Ultimate SP1
         MacBook Air running OSX 10.5.2

This year's contest will begin on March 26th, and go during the
presentation hours and breaks of the conference until March 28th.
The main purpose of this contest is to present new vulnerabilities in
these systems so that the affected vendor(s) can address them.
Participation is open to any registered attendee of CanSecWest 2008.

Once you extract your claim ticket file from a laptop (note that doing
so will involve executing code on the box, simple directory traversal
style bugs are inadequate), you get to keep it. You also get to
participate in 3com / Tipping Point's Zero Day Initiative, with the top
award for remote, pre-auth, vulnerabilities being $25k. More fine print
and details on the cash prizes are available from TippingPoint's DVLabs
blog (http://dvlabs.tippingpoint.com/). More fine print and rules for
the contest will be found at the http://cansecwest.com/ site.

Quick Overview:

-Limit one laptop per contestant.

-You can't use the same vulnerability to claim more than one box, if it
is a cross-platform issue.

-Thirty minute attack slots given to contestants at each box.

-Attack slots will be scheduled at the contest start by the methods
selected by the judges.

-Attacks are done via crossover cable. (attacker controls default route)

-RF attacks are done offsite by special arrangement...

-No physical access to the machines.

-Major web browsers (IE, Safari, Konqueror, Firefox), widely used and
deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium,
Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird,
kmail, mutt) are all in scope.

Fine Print:

These computers are REAL and FULLY patched. All third party software is
widely used. There are no imitation vulnerabilities. Any exploit
successfully used in this contest would also compromise a significant
percentage of Internet connected hosts.  Instead, players choose to use
their exploits here, at CanSecWest PWN2OWN 2008.  All successful exploits
will be turned over to the appropriate vendor and patched before details
are made public.

Rules

1. Attacks remain confidential until prize is claimed

Players will connect to the targets with a crossover cable and we will
not record the network traffic or log anything other than what is done
by default.

Successful exploits can be delivered directly to Tipping Point after the
we verify that you control the target.

In the event that internet connectivity is required (eg. IM clients)
we will put the target online behind a firewall. We won't sniff at the
firewall, but we can make no guarantees for upstream networks. (so be
careful what you send over the Internet!)

2. No wireless attacks in the conference area

Players with intent to use wireless attacks must inform us in advance.
We will relocate to a secluded, undisclosed location to test.

3. One attacker per target at a time

As is obvious from rule #1 and rule #2, one player gets exclusive access
to any target at one time.

4. Players take turns, no hogging the targets

Players are limited to 30 minutes per attempt. We will mercilessly
disconnect your cable at the end of each attack slot. Be fast!
We will reboot the targets before each session begins.

5. First come, first served access to targets.

Players get in line for their turns and may take an unlimited number
of turns. If a player runs out of time and no one else is waiting for
access to the target he may continue for another turn. Players may not
have more than 1 turn in any 30 minute period. (That means we won't
reboot a target any time you feel like it)

6. Remote, pre-authentication attacks are required to win

Players may not physically touch the targets or look at the target's
display. Players are required to demonstrate to our satisfaction that
arbitrary code runs on the target.

7. Attackers control the default route for the target.

Players may become the target's default gateway in order to perform man
in the middle attacks.

8. Contest officials visit attacker web servers

Players may direct us to visit a web server running on the player's
computer. Players may specify which browser to use.

Keep the URL reasonable. We're not going to type weird addresses in.
Once we hit enter that's it. We will not click on any links.

9. Contest officials read email from attackers

Auto-preview (Preview panes, etc) is enabled on mail readers, but we will
not click on links contained therein or open attachments.

10. Contest officials will add attackers on IM and read their messages.

They will not click on links or open file transfers.

11. Client Application list:

The fully patched client-side applications that qualify for a prize includes:

.     Adobe PDF
.     Adobe Flash
.     Microsoft Silverlight
.     Microsoft Internet Explorer
.     Microsoft Outlook/Outlook Express
.     Firefox
.     Safari
.     iChat
.     Apple Mail
.     Skype
.     Adium
.     Pigdin
.     Kmail
.     Thunderbird
.     Evolution
.     mutt
.     AOL, Yahoo!, and MSN official IM clients
.     Java/JRE

Other software may be added to this list at our discretion of if we
deem it represents a significant attack target on normal internet
clients at large.

12. Winning exploits must be true 0day.

They may not have already been submitted to the affected vendor or
to third parties.

13. Each machine will be secured to common industry best practices.

We'll get Andrea Barisani from our Hardening Linux Dojo (which still
has seats available :) to look over the Ubuntu machine, and the
Microsoft/iSec/Core DTF folks to secure the Windows boxes, and Josh
Ryder our local Mac zealot to look at the OSX wafer.

Special Thanks:

-LTC Ron Dodge, USMA, for agreeing to be in the hot seat as the judge.
-The folks at 3com Tipping Point ZDI for helping out.
-The folks at White Wolf Security for assistance in the design, prep,
 and running the challenge.

--Robert McMillan

» read more from Bob McMillan | post a comment
Ads by TechWords
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
IT productivity challenges: Google survey results

GoogleIn this webcast, Google reveals results from a survey of message security and compliance priorities and concerns. Download a free copy of the survey report after registering.

» Watch the Webcast

Sponsored Links

Secure your virtual and physical environments with the same software.

ITCi White Paper: Challenges and Opportunities of PCI

The PCI Data Security Standard

Hardware-based security. That's IT as it should be.

Eliminate network threats and downtime with Juniper Networks. View demo

Configuration Audit and Control for Virtualized Environments

Webcast: Best practices in application security: How do you stack up?

Webcast: learn results from an annual Google message security survey of 575 global IT professionals

White Paper: Learn more about how you can use compliance as a means of competitive differentiation.

This white paper presents document security strategies and best practices

Compliance: Moving From Mandate to Differentiator White Paper

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

Gene Kim's Practical Steps to Mitigate Virtualization Security Risks

Visit the RSA resource center and learn more about the Payment Card Industry (PCI).

A Guide to Providing Proactive Protection to Consumer Online Transactions

IT Service Management: Metrics That Matter

White Paper: Learn how to use Adaptec(R) Snap Server(TM) with MOBOTIX IP Network Cameras

White Paper: Use DAM technology when there is a need for granular monitoring.

This whitepaper describes how you can test your Web applications with virtualization

Read The Evolution of Application Security in Online Banking White Paper