PWN2OWN Rehashed

published: March 31st, 2008

So Black Hat is over, CanSecWest is over. Hack in the Box is coming up but in the meanwhile let’s talk about PWN2OWN.

Luckily, both prizes from the PWN2OWN contest went to the right people but I am more interested to know what was it that owned Vista. After all, Vista is meant to be more secure from scratch although we know that once you fix one type of vulnerability, another will emerge and become predominant. These are the rules of Nature. We better get used to them.

Considering the experience of the winners, I thought that the vulnerability was a standard overflow issue combined with luck and an ingenious way of bypassing Vista’s protection features. Then I’ve read this:

Macaulay, who was a co-winner of last yearâ€™s hacking contest, needed a few hacking tricks courtesy of VMware researcher Alexander Sotirov to make his bug work. Thatâ€™s because Macaulay hadnâ€™t been expecting to attack the Service Pack 1 version of Vista, which comes with additional security measuresâ€¦

Under contest rules, Macaulay and Miller arenâ€™t allowed to divulge specific details about their bugs until they are patched, but Macaulay said the flaw that he exploited was a cross-platform bug that took advantage of Java to circumvent Vistaâ€™s security.

The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place, he (Macaulay) said in an interview shortly after he claimed his prize Friday. This could affect Linux or Mac OS X.
Macaulay said he chose to work on Vista because he had done contract work for Microsoft in the past and was more familiar with its products.

I assume that it has nothing to do with overflows since the attack vector is cross-platformed. Although, there is a slight chance that an overflow has been used because Alexander Sotirov teamed with the rest and the fact that Java disables DEP because of various complications within the JVM. My bet is on a cross-platform bug that relies on Java being stupid. It could have been a URL bug or any kind of Same Origin Policy bypass variation/violation or even Cross-origin Scripting, as we’ve seen a few of them already. I’ve touched Java’s SOP in by Black Hat talk and also showed some problems with it. There you go, might be a good starting point.

The $10,000 + Laptop question is whether the bug that has been used is unique by nature and whether others can re-do it. I can tell you for a fact that SOP and XOS bugs, which are far more common today then ever, are all over the place. Just in the past couple of months, we’ve personally released a bunch of them. I have been involved with some other researchers on various SOPs and XOSs which haven’t been disclosed yet. Unless the organizers of CanSecWest change the rules of the competition, I can grantee you that more and more and more winners will follow. And Just to spoil the fun we might even release one just before the next event. Why not!

» more | » comments rss | posted by pdp | syndication and integration ( )

Comments

zer0 responds:

I think you might want to have a look at java socket handling.

Alexander Sotirov responds:

You have a chance to find out for yourself, we’re selling the pwned Vista box on eBay. The exploit might still be in the IE cache :-)

http://cgi.ebay.ca/ws/eBayISAP.....0214168502

pdp responds:

zer0,

I am aware of a few vulns around the Java sockets which affect JVM at the moment. However, there were even some in the past which could allow access to localhost services, via the use of the relatively unknown URL handler. I hope that the JVM was patched :) for the contest.

Alexander,

current bid US $202.51, that’s kind of cheep for this laptop + bonus exploit.

Awesome AnDrEw responds:

I figured it would only be a matter of time until eBay pulled the auction, but I did get a chance to read about it from the interview with Alexander.

Kishfellow responds:

Alex sotirov, the bid’s already been removed :(

Respond

In order to preserve the high standards of GNUCITIZEN, before you post a comment, please take note of the following guidelines:

Commenting is provided as a courtesy only.
Please be brief and relevant to the post.
Please be polite even in disagreement with us or others.
Support claims you wish to make using sources and links.
No personal attacks, name calling, or commercial commenting.
Anyone creating false or multiple identities will be banned.
If you don't have a cogent argument, you will be censored.
If you are purposefully deceptive, you will be censored.
No spamming or flooding.

We appreciate your time and effort in contributing to GNUCITIZEN.

name: (required)

mail: (required)

website:

comment:

GNUCITIZEN Products

	Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.
	Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.
	Websecurify is a division of GNUCITIZEN. The initiative was established to provide a fee web application security framework for automated and manul penetration testing. The service is still in private-beta.
	Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.
	Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.