MacBook Hacking Contest Won ($10,000)

Story at Matasano.

"About an hour ago, security researcher Shane Macaulay leveraged a clientside exploit to bind a remotely-accessible shell on the fully-patched MacBook used by the PWN 2 0WN contest at CanSecWest.

The vulnerability and exploit were developed last night by Dino Dai Zovi, in the wake of an announcement by 3Com establishing a $10,000 bounty on successful exploitation of one of the contest MacBooks. Said Dino: “I think I may have set the land-speed record”.

Shane keeps the laptop, Dino keeps the reward.

Details about the specifics of the vulnerability to follow at a later date."

I knew someone would get in. but not sure if their solution is practical. can anyone elaborate on it?

Aww boo, was the firewall on it, as it's not on by default?

I know that they weren't using the latest Security Update 2007-004 since that was just released by Apple late yesterday.

Also note that since this was day 2 of the contest (from ZDNet story this morning)....

On the second day, the barrier will be lowered a bit and the attackers will be allowed to put exploit code on a special wiki and launch drive-by exploits on the Mac's built-in Safari browser.

EDIT: A link to a story describing how it was "hacked" is here.

Note how the bar was intentionally lowered however... :rolleyes:

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

I know that they weren't using the latest Security Update 2007-004 since that was just released by Apple late yesterday. Makes me wonder if this hacker simply got his clues from reading the list of fixes that were implemented in that update.

Also note that since this was day 2 (from ZDNet story this morning)....

It says that fully patched machines at this point (which would include the latest security fix) are still vulnerable.

EDIT: I'm just waiting for the people to say it doesn't count because they had to perform an action. That's how tons of Windows viruses/exploits work as well, and we don't say they don't count.

It says that fully patched machines at this point (which would include the latest security fix) are still vulnerable.

The contest started Thursday morning and the patch wasn't available until Thursday night. They didn't patch it on the fly once the contest began, so it wasn't on the hacked machine. However, we see how they pulled it off now, and the update would have had no impact anyway.

Considerably lowering the security bar to get in had everything to do with it. Either way, they've got quite a long way to go before they prove that OS X is anywhere near as insecure as Windows. Any OS can be hacked given certain circumstances, some are just immensely more difficult to hack than others.

Ah well, in the meantime, we shall continue to wait for the first ever Mac running OS X out in the wild to finally get hacked. It's been 6+ years and 20+ million users so far, and that still hasn't happened.....

am I surprised by ""OSX is not bulletproof"? no
am I surprised by double standard? no
every OS's security is relative, to regard OSX as bulletproof is wrong at first place.

The contest started Thursday morning and the patch wasn't available until Thursday night. They didn't patch it on the fly once the contest began, so it wasn't on the hacked machine.

However, we see how they pulled it off now, the update would have had no impact anyway. Lowering the bar had everything to do with it.

I didn't say that they patched the machine, I said that the patch did not fix the issue that the hackers used to get in.

Note how the bar was intentionally lowered however... :rolleyes:

Yeah, I find the third day bar to be quite hilarious. "If, by the third day, no one has hacked a machine, we'll allow you to connect via USB or Bluetooth."

We can probably expect to hear some smart*** remark from Ballmer or some other MS goon. What we'll most likely hear about is antivirus companies begging and pleading for Mac customers to purchase their products.

Windows Fanbois around the globe are going, "OMG, Macs are like, so vulnerable, and stuff."

I don't post enough in these forums for anyone to know my position on these things, but rest assured, I haven't been any of these types who are very arrogant about OS X's security. I do know, however, no one has written an exploit. "Small market share" is the most common response I hear when talking about this. It would seem to me some dude would want to gain the notoriety of being the "first to market" with really bad stuff for the Mac.

It'll be interesting to see what the aftermath of this contest will be. Oh, and will the guys over this contest really try to hide and protect the exploit? With Dino's bragging about "set[ting] a land-speed record", does anyone really feel he'll keep this information to himself? Just curious. :)