Browsers and Operating Systems pwned and hacked during Pwn2own; only Google Chrome survives [Hack Fest]

By Soumya Deb | Published on 26 Mar 2010
Browsers and Operating Systems pwned and hacked during Pwn2own; only Google Chrome survives [Hack Fest]

TippingPoint's Zero Day Initiative (ZDI) hacking challenge- Pwn2own 2010, is making things harder for many of the well-known 'secure' browsers and platforms. Hackers have breached the security of Windows 7 and Mac OS X, mostly using browser loopholes. Even the Apple iPhones was not spared.


Security expert Peter Vreugdenhil managed to crack Windows 7 64-bit, using Internet Explorer 8. First he used a bypass for ASLR (Address Space Layout Randomization), a security feature of Windows, and then using this, broke into the Browser. He then used the information gleaned to bypass DEP (Data Execution Prevention) and to gain complete control of the victim's system. The experts from Microsoft present there stated that they weren't aware of this and will soon work towards a fix. Peter said, he used fuzz test logs (a brute force technique) to expose this vulnarability and it took nearly two weeks to code the exploit.


Third time in a row,  Charlie Miller successfully exploited a MacBook with the help of Safari's vulnerability. He also used a website, to exploit one of the conference organizer's MacBook. When that person surfed the link of the site with Safari, Miller immediately gained control over his laptop. Miller also used fuzz technique to find the vulnerability, like Peter Vreugdenhil. Details of the whole process has been cloaked for security reasons.


Safari's security holes proved fatal in case of iPhones too. Vincenzo Iozzo (22) and Ralf Philipp Weinmann (32) used one of the vulnerabilities of iPhone Safari to hack into it and hijacked the whole SMS database. This duo made the iPhone 3GS user to browse their specially crafted attack-website with Safari, to gain control on the device. Weinmann explained, a non-root user, named 'mobile' is there in the device's Sandbox, and has certain normal user-like privileges; this user account is what they actually hacked. So basically, everything that the 'mobile' can do, they can do - remotely. The victim felt it like a normal page was loading, while in this 20 sec time span his entire SMS database was stolen. Though the attack did not go smoothly -- the browser crashed after the act. Weinmann said that they can work to fix this issue, so that the process can terminate without any acknowledgment from the user.


Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge
Peter Vreugdenhil Charlie Miller iPhone Hack Team Firefox Hacker Nils


Even the Firefox and Opera browsers were under attack. Firefox was tricked with a zero-day vulnerability, on Windows 7. A payload of calc.exe (Calculator) was used, though the Hacker - Nils (a student at the University of Oldenburg, and a researcher of MWR InfoSecurity) reported, it can be switched with any process. This Firefox and Opera attacks are reported to be similar as of the IE8 hacking, though not much light has been put on that matter. Chrome was the only browser that didn't fall for any of these security traps. Miller stated, he finds Chromes sandbox very hard to crack, even though its vulnerability is known. All of the successful hackers won loads of prizes for their achievements. USD 10,000 was the basic prize money for each of the challenges along with the system that they hacked into. Bonus prizes include USD 5,000, 20,000 ZDI points, 25% reward for Pwn2own 2011, 15% prize money bonus for Pwn2own 2011 and free trip to DEFCON at Las Vegas.


Today, on the 26th of March, ZDI (Zero Day Initiative) is supposed to report to the concerning bodies of each of the vulnerable platforms, with details of the attacks and loopholes, so that they can work on to resolve the same. In the meantime, we can only ask you to wait for a security update of your favourite browser (ignore this message if you are a Google Chrome user).


Pwn2own Hacking iPhone Windows MacBook Mac OS X vulnerability security threat browsers Protection Status