MacBook Air First To Be Compromised In Hacking Contest

Multiple readers have written to let us know that the MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful hijacking took place only two minutes into the second day of the competition, after the rules had been relaxed to allow the visiting of websites and opening of emails. The TippingPoint blog reveals that the vulnerability was located within Safari, but they won't release specific details until Apple has had a chance to correct the problem. The winner, Charlie Miller, gets to keep the laptop and $10,000. We covered the contest last year, and the results were similar.

Re:And in other news.....

[chubs730]

"We Love Microsoft and Hate All Things Apple." O_O Are we on the same slashdot?

Re:Identical articles

[recoiledsnake]

You aren't totally correct on that. The article says "He was the first contestant to attempt an attack on any of the systems." (on the second day). None of the systems fell on the remote only side but when it came to test user interaction the Mac was the first one tested. I'm still waiting for the result on the other machines. It is what a lot of us suspected... because of Apple's rep., people would be eager to take on the Mac first. It is still not to say it isn't bad... oh, it is. But the contest isn't over yet. Sorry, that's just plain wrong. Every laptop had different contestants going on about it in 30 minute slots all day.

Day 1: March 26th: Remote pre-auth All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize. The pwned machine(s) will be taken out of the contest at that time. Day 2: March 27th: Default client-side apps The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize. The pwned machine(s) will be taken out of the contest at that time. Day 3: March 28th: Third Party apps Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize So the Macbook is out of the race since it finished last. Tomorrow, the Ubuntu and Vista machines will have a prize of $5000 on them being cracked with lots of third party apps installed.

Day 2 results

[Nightspirit]

If you look at their blog it seems the Vista and Ubuntu laptops are still not hacked yet at the end of day 2:
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture

Re:right

[wizardforce]

the security flaw was in Safari- probably a buffer overflow allowing arbitrary code to be executed. had safari been on any other OS with that flaw the other OSes would be fscked as well no questions asked. something like SElinux or Apparmor on the *nixes can help defend against things like that to a point but it won't stop them all. bottom line: the OS is a big chunk of the problem but software flaws and help from PEBKAC makes things a whole lot worse.

Re:And, in this case, the attacker deliberately ch

[recoiledsnake]

It's time to abandon the general purpose browser. It's also time to quit surfing as your log-in user. You need a browser for surfing that you run (sudo or something) as a strictly limited privilege user without log-in capabilities. If you pulled your head out of the sand and informed yourself beyond the anti-Vista tripe that's posted on here, you might have known that IE7 on Vista does exactly what you described ever since it came out more than a year ago.

Re:well, tFriendlyA does mention

[recoiledsnake]

as more than one person mentions above,) ... that the attack on the mac was the first attempted hack under the relaxed rules. I think it's clear that the hacker wanted the mac, especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox. You've lost me. Where does it say that the mac(apart from your 'persons above' handwaving) was the first attempted hack under the relaxed rules? Go read the site. It says that all three laptops were tried all day and the Mac was removed from the competition because it failed to survive the second day. The others did. Under the same rules.

especially since there are known open vulnerabilities that could have been used on MSIE, and some highly probable directions fairly well known on Firefox. So there are known open vulnerabilities in IE7 and Firefox and no one wanted a free 10k in cash (20k in total) for just running them plus 2 expensive laptops? Are you kidding me?

We know that the browser is vulnerable. Anyone who thinks general purpose browsers are invincible is living in a dream world. IE7 on Vista runs in a sandbox. This kind of attack on IE7 wouldn't have worked without another hole compromising the sandbox. Stop coloring all the browsers with the same color just because the one you use got pwned.

Re:linky, pleasey

[Chokolad]

Here is your linkey http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx

Quote from the linkey

  In IE7's Protected Mode--which is the default in other than the Trusted security zone--the IE process runs with Low rights, even if the logged-in user is an administrator. Since add-ins to IE such as ActiveX controls and toolbars run within the IE process, those add-ins run Low as well. The idea behind Protected Mode IE is that even if an attacker somehow defeated every defense mechanism and gained control of the IE process and got it to run some arbitrary code, that code would be severely limited in what it could do. Almost all of the file system and registry would be off-limits to it for writing, reducing the ability of an exploit to modify the system or harm user files. The code wouldn't have enough privileges to install software, put files in the user's Startup folder, hijack browser settings, or other nastiness.

In Protected Mode IE writes/reads special Low versions of the cache, TEMP folder, Cookies and History:

Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
Temp: %userprofile%\AppData\Local\Temp\Low
Cookies: %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low

Re:Identical articles

[Nightspirit]

The results for the other machines are in, at the end of day 2 the Vista and Ubuntu laptops have yet to be compromised:
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture

Re:Contest rules...

[Nightspirit]

According to secunia Vista has 2 minor vulnerabilities unpatched, Ubuntu 0, and OS X 6 vulnerabilities.

Re:And, in this case, the attacker deliberately ch

[Psychotria]

Sudo runs things as the super user, hence the name......this is not what you want if you are going for higher security.

Actually "su" stands for "switch user". You can just as easily sudo to _any_ user.

Re:Identical articles

[recoiledsnake]

So is it official that the Vista and Ubuntu machines have survived day 2??! Judging from the blog... it isn't: Update 5:45 PST - The contest is officially over for today. Check back tomorrow to see how the Vista and Ubuntu laptops fare. Do you have an inside scoop?? You misunderstod the contest rules. No inside scoop. Just the blog.

Day 1: March 26th: Remote pre-auth
All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 2: March 27th: Default client-side apps
The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.
The pwned machine(s) will be taken out of the contest at that time.
Day 3: March 28th: Third Party apps
Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.
So the security will be even more relaxed on the third day because Ubuntu and Vista survived the first two days without a hack. The Mac finished last and is out of the race.

Re:And, in this case, the attacker deliberately ch

[AdamTheBastard]

Sudo runs things as the super user, hence the name Wrong. sudo, an extension of the idea behind su, allows you to switch user and do something, hence the name. Yes, the default is to switch to the super user. It also allows you to switch to any another user (which it has been configured to allow you to access) using the '-u username' command line parameter and do things under their account.

What the parent was suggesting is to create an account with very limited access and to run the browser as that account using something like: `sudo -u sandboxaccount browserbin`.

Re:Identical articles

[BootNinja]

no, what he is saying is that more people would be trying for the macbook air, because more people would want to own a macbook air.

Re:Identical articles

[Allador]

Last year was QT, this year was Safari.

Re:I think the relevant part is:

[recoiledsnake]

The winner got to keep the unit AND 10,000 Don't forget that the prize was 20,000 each for the first day. And none of the machines got compromised. Including the Vista and Ubuntu machines. So, the GP is even more wrong than you think.

Re:browse one site

[recoiledsnake]

As long as the browser has the ability to be re-directed to any site but the site it was defined for, you're going to have spoofing. As long as you have spoofing, you're going to be losing your tokens. Repeat after me. Security is not a product or a program. Security is all about layers. Vista's sandbox model for IE is another security layer that Safair is lacking. The anti-phishing features in IE and other browsers are another are another layer. None of the layers are perfect, but they stop a class of attacks. The sandbox won't prevent spoofing(even the antiphishing filter is useless against zero day phishing sites), but it can easily stop or mitigate the very kind of vulnerability we are discussing that took down the Mac in the contest. You can use VMs to browse if you're that paranoid about security(the recent security holes found in VMWare not withstanding).

Re:right

[Your.Master]

No other exploit came at all today. There's still thousands of dollars to be won. The motivation for the entire day less two minutes was fully on Windows or Ubuntu. But they didn't crack yet.

It's not a guarantee that the first to fail is the weakest, there's definite elements of chance and some complex interactions. But it was done with Safari, which is part of the default distribution of a Mac and it's not exactly easy to not use Safari for at least long enough to download Firefox.

Dell is actually starting to not suck.

[Cordath]

I was pretty surprised when Dell finally started putting some effort into their laptop designs. For example, take the XPS m1330 that came out last year. It's actually really nice. I wanted an near-ultra-portable but *powerful* Ubuntu laptop and was within a hair's breadth of getting a macbook pro. (The air is a slick design, but the power just isn't there.) Then I found out I could get something every bit as powerful as a high-end macbook pro in the form-factor of a 13" macbook, only lighter, and for less money. (Caveat to follow.) Then I found out that the design actually looked nice. Nicer than the macbooks to my tastes. (Seriously, it's time for a design update Apple.) On top of that, the m1330's design makes a fair bit of ergonomic sense too. The laptop tapers down towards your wrists, rather than the tendinitis-inducing edge on macbooks.

Even more surprising, the m1330 is really well supported in Ubuntu. (Dell actually sells the m1330 with Ubuntu pre-installed, although the discount is rather pathetic.) More things just work in a default install of Ubuntu on the m1330 than in Vista! (The only thing that doesn't work as well in Ubuntu as it does in Vista is the fingerprint reader, but that's just because biometric password support in Linux, and KDE especially, sucks dingo balls at present.) And yes, if I bought a macbook I probably would have tossed the OSX disks and reformated the drive first thing. I've had to develop under OSX and, while I don't mind it, I definitely prefer Ubuntu.

Caveat time. Dell's customization options are still royally borked. You can pick up a lot of accessories, like bluetooth mice, fairly cheap when buying a laptop, but other components are just insanely expensive. Anyone who maxes out the memory on a Dell while ordering it and then complains about the price is an idiot. Upgrading the memory on a Dell won't void the warranty. You want 4GB? Get 1GB from Dell and, toss it, and buy a couple 2GB sticks yourself. You'll save at least a couple hundred dollars. If Dell would smarten up about that kind of thing I'd have no complaints.

Still, one thing is pretty clear. You can no longer mindlessly slag Dell for epitomizing bland and crappy laptop designs. They do still have ultra-cheap crap and bland bricks built like tanks for the corporate types, but they're also gunning for the sexier end of the market now.

Re:And, in this case, the attacker deliberately ch

[WK2]

Actually, "su" does indeed stand for "super user". Originally, it could only switch to root. The capability to switch to arbitrary users was added later, and "switch user" is a backronym.

While we're on the subject, guess what "dd" stands for? It's not "direct dump" or "disk destroy". It's "character copy".

Re:Users == the problem

[Durandal64]

That's the thing. It wasn't unix that they broke, It was the relatively new code. OSX may look like a unix from the outside in, but it's not one from the desktop down.

There is no provision in the POSIX standard for what a Unix desktop is supposed to look like. There are provisions for thread behavior, system calls and system commands. X11 is not a part of Unix. Mac OS X fully complies with the POSIX standard, so it is a Unix.

It may resemble it, but it's not complete. Unix may be convenient for Apple, but it's not a mantra.

It doesn't just "resemble" Unix; it conforms to Unix.

OSX hasn't been subject to it for long at all. Safari's new. *Really* new, and you know what, it wasn't even webkit that broke, but the url bar (if memory of the bugtraq post serves.) Where did webkit come from? Oooh. that's right. KDE.

You know the details of the security vulnerability? I thought no one was supposed to talk about it.

We're all in for it if apple really do gain significant market share (we being administrators, not we being "the general populace"). It may or may not be as big a problem as windows has been, but I'm willing to bet that the effects will be as dire, and apple doesn't really have a fantastic track record here, as other articles have pointed out. The momentum of not having security as a primary goal is one that takes a *long* time to turn around.

So the fact that the target machine couldn't be compromised remotely, despite being the "new kid on the block", means nothing?

Overall, you're arguing about two different things. There's security by design, and then there's secure implementation. It seems like you're claiming that an operating system that's secure by design will, somehow, have fewer implementation flaws. That's not true. Good design is there to mitigate the damage that can be done by exploiting a vulnerability, not to make vulnerabilities disappear. The presence of vulnerabilities in code does not necessarily indicate that that code is insecure by design. The scope of damage that those vulnerabilities can cause, however, is an indication of the design's security.

And I haven't actually been able to find an indication of the scope of this particular vulnerability. All I can see is that contestants had to read a "designated file", with no indication as to the access mode of that file. If it was just a regular, user-owned file, this is a pretty run-of-the-mill buffer overflow in a userland application. If it, somehow, allowed the attacker to gain root privileges, then that's a much bigger problem.

Re:Low? What's Low?

[makomk]

The trouble is, they didn't implement the Biba security model - they only implemented part of it. More specifically, they implemented the "no write up" rule which prevents low integrity processes writing to high integrity stuff (well, most of the time - I think there are ways for low integrity process to talk to high integrity ones). However, they didn't implement the "no read down" rule at all - high integrity apps can and do read low integrity data.

Why does this matter? Well, suppose you have something like the WMF vulnerability, which can be exploited if you preview the file in Windows Explorer. All a website has to do is to download the file into the sandbox and trick the victim into previewing it.

Unfortunately, the proper Biba integrity model is probably totally impractical for desktop use.

Because the prize was 10k

[hassanchop]

You fanbois are embarrassing, the second day prize was $10,000. I know inside your reality distortion field people will give up 4+ Macbook Air's worth of prize money just to get a single Macbook Air, but the rest of us aren't rabid fanbois so we find this logic a little thin.

Re:Identical articles

[fitten]

With the $10,000 prize, they could have picked whatever machine they thought was the easiest/fastest to hack (which they obviously did) and bought several MacBook Airs with the prize money.

Re:Owning Beauty

[Mister+Whirly]

But it was hacked remotely. All it took was a visit to one website, and from that point on it was owned remotely.