G
Greg Russell
March 25, 2010 (Computerworld) Two researchers yesterday won $10,000 each at
the Pwn2Own hacking contest by bypassing important security measures of
Windows 7.
Both Peter Vreugdenhil of the Netherlands and a German researcher who would
only identify himself by the first name Nils found ways to disable DEP (data
execution prevention) and ASLR (address space layout randomization), which
are two of Windows 7's most vaunted anti-exploit features. Each contestant
faced down the fully-patched 64-bit version of Windows 7 and came out a
winner.
Vreugdenhil used a two-exploit combination to circumvent first ASLR and then
DEP to successfully hack IE8. A half-hour later, Nils bypassed the same
defensive mechanisms to exploit Mozilla's Firefox 3.6. For their efforts,
each was awarded the notebook they attacked, $10,000 in cash and a paid trip
to the DefCon hackers conference in Las Vegas this July.
"Every exploit today has been top-notch," said Aaron Portnoy, security
research team lead at 3Com's TippingPoint security unit, the sponsor of the
contest, in an interview at the end of the day Wednesday. "The one on IE8
was particularly impressive."
Vreugdenhil, a freelance vulnerability researcher, explained how he bypassed
DEP and ASLR. To outwit ASLR -- which randomly shuffles the positions of key
memory areas to make it much more difficult for hackers to predict whether
their attack code will actually run -- Vreugdenhil used a heap overflow
vulnerability that allowed him to obtain the base address of a .dll module
that IE8 loads into memory. He then used that to run his DEP-skirting
exploit.
DEP, which Microsoft introduced in 2004 with Windows XP Service Pack 2,
prevents malicious code from executing in sections of memory not intended
for code execution and is a defense against, among other things,
buffer-overflow attacks.
"[The exploit] reuses Microsoft's own code to disable DEP," said
Vreugdenhil. "You can reuse Microsoft's own code to disable memory
protection."
In a paper he published today, Vreugdenhil spelled out in more detail how he
evaded both ASLR and DEP.
"It was a two-step exploitation," Vreugdenhil said of the unusual attack. "I
could have done it with one, but it would have taken too long." Using the
double-exploit technique gave him control of the machine in a little over
two minutes; if he had used only one exploit, the task would have required
50 to 60 minutes.
"I didn't know how much time I would have at Pwn2Own," he said, referring to
the constraints of the contest, where hackers had limited time slots. And he
didn't want to bore his audience. "I put some eye candy in the exploit," he
said, referring to a progress bar he inserted that read "Please be patient
while you are being exploited..."
"It feels great," said Vreugdenhil of winning. "But I was nervous. I was
convinced that there would be other exploits for IE8." This year's Pwn2Own
was a first-come, first-served contest: The first researcher to hack each
browser would win $10,000, but the second would take home nothing.
Nils also sidestepped DEP and ASLR in Windows 7 when he exploited the newest
version of Firefox later in the day. Like Vreugdenhil, Nils also was awarded
the notebook and $10,000. This was Nils' second Pwn2Own victory; last year
he grabbed $15,000 by exploiting not only Firefox, but also Safari and IE8.
"As usual, Nils' exploit was very thorough," said TippingPoint's Portnoy,
who is the organizer of the Pwn2Own contest.
TippingPoint purchased the rights to the flaws and attack code from
Vreugdenhil, Nils and the other Pwn2Own winners. It will turn over that
information to Microsoft, Mozilla and other affected vendors on Friday at
the conclusion of the contest. Until vendors patch their vulnerabilities,
TippingPoint will not disclose any technical information about the bugs.
Both Microsoft Corp. and Mozilla Corp. had representatives on hand during
the contest.
Later, Jerry Bryant, a senior manager with the Microsoft Security Research
Center (MSRC) acknowledged the vulnerabilities exploited by Vreugdenhil, but
little else. "Microsoft is aware of a new vulnerability in Internet Explorer
introduced at CanSecWest in the Pwn2own contest," Bryant said in an e-mail
Wednesday. "We are investigating the issue and we will take appropriate
steps to protect customers when the investigation is complete."
Bryant did not say when Microsoft would patch the flaws Vreugdenhil used.
The company's next scheduled Patch Tuesday is April 13, but Microsoft
typically takes much longer to produce its fixes, with testing time alone
often running 30 to 60 days.
The lesson from this year's Pwn2Own is pretty simple, suggested Charlie
Miller, another of Wednesday's winners. "What you can see at Pwn2Own is that
bugs are still in software, and exploit mitigations like DEP and ASLR don't
work. Even as [defensive measures] improve, researchers still end up
winning."
the Pwn2Own hacking contest by bypassing important security measures of
Windows 7.
Both Peter Vreugdenhil of the Netherlands and a German researcher who would
only identify himself by the first name Nils found ways to disable DEP (data
execution prevention) and ASLR (address space layout randomization), which
are two of Windows 7's most vaunted anti-exploit features. Each contestant
faced down the fully-patched 64-bit version of Windows 7 and came out a
winner.
Vreugdenhil used a two-exploit combination to circumvent first ASLR and then
DEP to successfully hack IE8. A half-hour later, Nils bypassed the same
defensive mechanisms to exploit Mozilla's Firefox 3.6. For their efforts,
each was awarded the notebook they attacked, $10,000 in cash and a paid trip
to the DefCon hackers conference in Las Vegas this July.
"Every exploit today has been top-notch," said Aaron Portnoy, security
research team lead at 3Com's TippingPoint security unit, the sponsor of the
contest, in an interview at the end of the day Wednesday. "The one on IE8
was particularly impressive."
Vreugdenhil, a freelance vulnerability researcher, explained how he bypassed
DEP and ASLR. To outwit ASLR -- which randomly shuffles the positions of key
memory areas to make it much more difficult for hackers to predict whether
their attack code will actually run -- Vreugdenhil used a heap overflow
vulnerability that allowed him to obtain the base address of a .dll module
that IE8 loads into memory. He then used that to run his DEP-skirting
exploit.
DEP, which Microsoft introduced in 2004 with Windows XP Service Pack 2,
prevents malicious code from executing in sections of memory not intended
for code execution and is a defense against, among other things,
buffer-overflow attacks.
"[The exploit] reuses Microsoft's own code to disable DEP," said
Vreugdenhil. "You can reuse Microsoft's own code to disable memory
protection."
In a paper he published today, Vreugdenhil spelled out in more detail how he
evaded both ASLR and DEP.
"It was a two-step exploitation," Vreugdenhil said of the unusual attack. "I
could have done it with one, but it would have taken too long." Using the
double-exploit technique gave him control of the machine in a little over
two minutes; if he had used only one exploit, the task would have required
50 to 60 minutes.
"I didn't know how much time I would have at Pwn2Own," he said, referring to
the constraints of the contest, where hackers had limited time slots. And he
didn't want to bore his audience. "I put some eye candy in the exploit," he
said, referring to a progress bar he inserted that read "Please be patient
while you are being exploited..."
"It feels great," said Vreugdenhil of winning. "But I was nervous. I was
convinced that there would be other exploits for IE8." This year's Pwn2Own
was a first-come, first-served contest: The first researcher to hack each
browser would win $10,000, but the second would take home nothing.
Nils also sidestepped DEP and ASLR in Windows 7 when he exploited the newest
version of Firefox later in the day. Like Vreugdenhil, Nils also was awarded
the notebook and $10,000. This was Nils' second Pwn2Own victory; last year
he grabbed $15,000 by exploiting not only Firefox, but also Safari and IE8.
"As usual, Nils' exploit was very thorough," said TippingPoint's Portnoy,
who is the organizer of the Pwn2Own contest.
TippingPoint purchased the rights to the flaws and attack code from
Vreugdenhil, Nils and the other Pwn2Own winners. It will turn over that
information to Microsoft, Mozilla and other affected vendors on Friday at
the conclusion of the contest. Until vendors patch their vulnerabilities,
TippingPoint will not disclose any technical information about the bugs.
Both Microsoft Corp. and Mozilla Corp. had representatives on hand during
the contest.
Later, Jerry Bryant, a senior manager with the Microsoft Security Research
Center (MSRC) acknowledged the vulnerabilities exploited by Vreugdenhil, but
little else. "Microsoft is aware of a new vulnerability in Internet Explorer
introduced at CanSecWest in the Pwn2own contest," Bryant said in an e-mail
Wednesday. "We are investigating the issue and we will take appropriate
steps to protect customers when the investigation is complete."
Bryant did not say when Microsoft would patch the flaws Vreugdenhil used.
The company's next scheduled Patch Tuesday is April 13, but Microsoft
typically takes much longer to produce its fixes, with testing time alone
often running 30 to 60 days.
The lesson from this year's Pwn2Own is pretty simple, suggested Charlie
Miller, another of Wednesday's winners. "What you can see at Pwn2Own is that
bugs are still in software, and exploit mitigations like DEP and ASLR don't
work. Even as [defensive measures] improve, researchers still end up
winning."
