Browser and Smartphone Exploits Fly at Pwn2Own [Recap]

With Google offering $20,000 for a Chrome sandbox exploit, Apple releasing fresh security updates, and the organisers allowing researchers to target mobile phone basebands, it was sure make for an interesting Pwn2Own contest at CanSecWest this year.

For the fifth year running, Pwn2Own invited security researchers to discover vulnerabilities and develop exploits for the most popular browsers on Mac OS X and Windows (for some reason Linux is left out this year). Traditionally IE, Firefox and Safari have gotten exploited, with Chrome being the last browser standing at last year’s competition. Google upped the ante by making it significantly more attractive to target their browser this year.

In short: Safari, Internet Explorer, iPhone and Blackberry were all successfully compromised. Chrome and Firefox survive. Hit the jump for the full details!

Browsers

Safari 5.0.4 on Mac OS X 10.6, and Internet Explorer 8 on Windows 7 were both compromised on the first day of the competition. French security company VUPEN compromised Safari with a WebKit vulnerability, but stated that it was a particularly difficult exploit to engineer on the 64-bit system. Internet Explorer 8 was hacked by Stephen Fewer using three separate vulnerabilities in order to successfully bypass DEP and ASLR. Microsoft have confirmed that the vulnerability is patched in IE9 coming out on Monday (14/03/11). Thus far Google Chrome and Firefox remain unhacked. This would make it Chrome’s second year running without getting hacked at Pwn2Own, which must make the Chrome team extremely happy. Firefox and Google‘s bug bounty programs must be working well.

On a side note, I’d like to clarify statements about the Mac being “the first to get hacked” and “within 5 seconds”. This seems to cause a lot of misunderstanding with the media, and those unfamiliar with how security works in general. It’s not like all the researchers sat down at the same time and had to come up with a hack on the spot. These guys have been developing their exploits for several weeks (sometimes months), and working on making them reliable. Once they have an exploit, it’s simply a question of pointing their target browser to a page hosting it, at which point any system with that vulnerability will get compromised immediately or “within 5 seconds”. The reason why Safari was the first to be hacked, is because the Mac is always the first platform to be tested at Pwn2Own.

Smartphones

Pwn2Own also allows researchers to target smartphones (although they usually only target the browser on these as well). This year’s mobile device targets were as follows:

• Dell Venue Pro running Windows 7
• iPhone 4 running iOS 4.2.1 (and not the newly-released iOS 4.3 with many security updates and ASLR)
• Blackberry Torch 9800 running Blackberry 6 OS
• Nexus S running Android

I’m surprised that they didn’t include HP’s WebOS, but to be honest WebOS is so bad, it pretty much exploits itself as it is.

The iPhone running iOS 4.2.1 was hacked by Charlie Miller (0xcharlie) – again – using a vulnerability in MobileSafari that he developed together with Dion Blazakis (@dionthegod). Although their exploit does not work on iOS 4.3 due to the newly-added ASLR, the original vulnerability is allegedly still there. The Blackberry was also hacked, address book and photos extracted, by a team of three researchers using a vulnerability in the new WebKit-based browser in Blackberry OS 6. The team have credited the lack of vulnerabilities on the Blackberry so far to the obscurity of the platform. The Android and Windows 7 phones have yet to get pwned (although we know these two have vulns regardless). I also haven’t heard of any baseband vulnerabilities being exploited yet.

We can expect patches for all these browser and smartphone vulns pretty quickly. Keep your eyes open next week.