We've announced that we will be having a contest "PWN to OWN" where two, pimp, loaded up, Apple Macbook Pro's will be set up on their own AP (with security updates but otherwise default) and attendees will be able to connect to the ethernet or WiFi. The first to exploit it (there are victory conditions, and progressive rules over the three days) gets to go home with it. (Limit one per person, Can't use the same vuln on both.) If they survive the three days in the "jungle," they become prizes for best lightning talk and best speaker. Detailed contest rules to follow shortly.
At one point there were detailed rules on the site, but I can't seem to find them. As I recall, they initially proposed that the first day nothing would be done to the MacBooks, you had to get access remotely. If no one was able to get access by the end of the first day then they would relax the rules to allow access from the local network that the MacBooks were connected to. And then, on the final day they would allow access to the machine via its USB port. Of course, I could be remembering this wrong. I glanced at the rules when they announced the contest.
Apparently, after the first day, no-one could get access so they relaxed the rules. They then apparently allowed folks to send emails with links to the MacBook and the conference organizers then opened the links with Safari. The Rixstep web site summarizes of what happened next:
The CanSecWest Applied Security Conference held from 18-20 April 2007 netted one exploit against a fully patched MacBook Pro after a number of false starts and initial failures. The initial contest - to 'PWN' MacBook Pros accessible on internal IANA IPs - met with no success despite the machines themselves being the prizes to the winners.
It was only when the organisers upped the ante and lightened the rules of the contest that an exploit succeeded. The new rules specified sending URLs to the organisers which they would access from the MPBs with the default Safari web browser.
'There has not been a successful attack. Time to expand your attack surface. Email links and we will visit them using Safari', read the communique. Then, two hours twenty four minutes later:
'One OS X box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go.'
'The first box required a flaw that allows the attacker to get a shell with user level privileges. The second box, still up for grabs, requires the same, plus the attacker needs to get root.'
No one ever got root.
The Rixstep article lays it out pretty well. No one ever got root. And I even question the hack given what I remember about the rules - the MacBook was hacked on friday which was the third day of the conference. Of course, like I said before I could remember it wrong.
So is this a big deal? I don't think so. To me, the important thing for security is for my machine to fight attacks that I, as a user, have no hand in initiating. Clearly, if the MacBook was hacked, the attack described requires a user to open an email and click on a link. That implies that the email has to spoof the user, which to me is a pretty big deal. By now everyone is so familair with span (or should be) that it would have to be a pretty convincing email for me to click on a link (even assumping that it somehow slipped by the excellent spam filer in Apple's mail. Which reminds me of another interesting question. Would the hack work via webmail e.g, gmail? I don't know, but if I had to guess I would say no).
Nevertheless, the tech web is buzzing (as usual) with Apple Hacked headlines. IDG (as usual) put out a misleading story which the Rixstep article, I think, convincingly corrects.
Even if this is indeed a real hack and, even if you buy the contrived actions you need to preform to open the MacBook up to the hack, I can think of two things that need to be considered. First, it looks to me like an input manager hack. The changes to input manger in the next version of Mac OS X (10.5) will take care of that. Second, if it is real then it looks to me like a relatively quick fix to Mac OS 10.4 to prevent it. But, like I said, I think it a contrived hack. Any responsible user would probably never have to worry about it. I know I won't.
Also, Arstechnica has a good article on the technical details
0 comments:
Post a Comment