Home » Industry Watch
The Vancouver MassacreAll platforms went down.
VANCOUVER (Rixstep) — CanSecWest opened, the hackers came, the platforms got clobbered.
Windows 7 got hacked with IE8, the iPhone was gutted, and Charlie Miller crushed a MacBook for the third year in a row.
And still the fun has only begun.
IE8/Win7
Dutch hacker Peter Vreugdenhil hacked Windows 7 with IE8 by bypassing the system's ASLR and DEP.
'I started with a bypass for ALSR which gave me the base address for one of the modules loaded into IE. I used that knowledge to do the DEP bypass.'
Vreugdenhil said it took him about two weeks to get around the ASLR and DEP mitigations. He wins $10,000 and a new Windows machine which he'll probably sell on eBay immediately.
Microsoft representatives were on hand to witness the exploit in action but admitted they had a hard time following along.
iPhone
Apple's (in)famous FreeBSD-based device with everything running as Windows root was the next victim - and it got clobbered without mercy. Hackers from Halvar Flake's Zynamics gutted the device in the time it normally takes to load a web page.
Vincenzo Iozzo and Ralf Philipp Weinmann used an ingenious technology known as return-oriented programming to turn the device's own code on itself.
And this was all done with Apple code signing fully in place on the victim phone.
The key to return-oriented programming is that it doesn't use code injection - it uses code already loaded into the process address space.
'Apple have pretty good countermeasures but they're clearly not enough. The way they implement code signing is too lenient', commented Flake. TippingPoint themselves describe the attack as 'very impressive'.
MacBook
Charlie Miller took home a MacBook (and a cash prize) for the third year in a row - this despite Apple scrambling at the last minute to patch over one dozen known security holes in their Safari web browser.
A conference organiser was asked to surf to a prepared web page and got to watch as Miller took control of the Apple machine.
Miller also plans to present 20 (twenty) new zero day exploits against Apple's Mac OS X operating system during the CanSecWest conference.
Almost all of the security engineering effort on the iPhone seems to have been spent protecting the revenue model rather than the user. - Independent Security Evaluators
See Also Zero Day: Hacker exploits IE8 on Windows 7 to win Pwn2Own Pwn2Own 2010: iPhone hacked, SMS database hijacked Zynamics: Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN Zynamics: PWN2OWN Press Release Tipping Point: Pwn2Own 2010 Pwn2Own MacBook attack: Charlie Miller hacks Safari again Wikipedia: Return to Libc Stanford: On the Effectiveness of Address Space Randomisation Wikipedia: Return-Oriented Programming UCSD: Return-Oriented Programming: Exploits Without Code Injection Google: Android Security Spec Independent Security Evaluators: Exploiting Android Independent Security Evaluators: Exploiting the iPhone
|