CanSecWest Show: iPhone, Safari, IE8, & Firefox hacked

The annual Pwn2Own contest held at the CanSecWest security show revealed that researchers could hack a non-jailbroken iPhone, as well as Safari on Snow Leopard; and also IE 8 and Firefox running on Windows 7. Peter Vreugdenhil, a security researcher from Netherlands used his exploit to bypass security features in IE8 which earned him $10,000. Vreugdenhill exploited two vulnerabilities in a four-part attack involving bypassing ASLR, Address Space layout Randomization and evading DEP, Data Execution Prevention.

The security analyst at Independent Security Evaluators, Charlie Miller hacked Safari on the MacBook Pro with no physical access to the machine; winning himself $10,000. In the previous year, Miller won $5,000 exploiting a hole in Safari; and in 2008 he hacked a MacBook Air.  While there is not much known of the exploit as Miller declined to comment, he stated that the target computer was compromised through visiting a Web site hosting the malicious code.

Another participant, Nils; head of research at MWR InfoSecurity targeted Firefox on 64-bit Windows 7 also earning himself $10,000. Nils also won $15,000 last year in reference to exploits demonstrated by him in IE 8, Safari, and Firefox.  He exploited memory corruption vulnerability and used bypass ASLR and DEP demonstrating weakness in Mozilla’s presentation. He stated that it took him almost no time to write the exploit, but “I could have started any process.” Nils said.

Ralph Phillip Weinmann of Luxembourg and Vincenzo lozzo of Germany both hacked the iPhone. They will be sharing their $15,000 prize. According to TippingPoint’s Zero Day Initiative, Lozzo was delayed en route to the contest, therefore his colleague Thomas Dullein aka Harry Flake served as his proxy.  Lozzo and Weinmann had written an exploit in two weeks that stole the contents of the SMS database on an iPhone. This was accomplished through using a Web site hosting exploit code, Weinmann said that “The payload executes and uploads the local SMS database of the phone to the server we control”. This exploit was written in order to bypass the digital code signatures used on the iPhone to prove the code in memory is actually from Apple. According to Weinmann, the exploit looked for chunks in Apple’s code that could be pieced together to accomplish the attack.

[via CNET]