<<< Date Index >>>     <<< Thread Index >>>

CanSecWest 2008 PWN2OWN - Mar 26-28



Calendar Notes:
===========

PacSec 2008 will be on November 12/13 in Tokyo at Aoyama Diamond Hall.

EUSecWest 2008 will be on May 21/22 at a fun new venue in central London.
(We cooked this schedule up so it will enable people to fly to Berlin on 
the 23rd and make FX's ph-neutral on Saturday the 24th - which also 
has a fun new venue. Island???!?)

The EUSecWest 2008 CFP opens tomorrow and closes _before_ April 1 :-).
EUSecWest registration is now open.


Announcing CanSecWest PWN2OWN 2008.
===================================

Three targets, all patched.  All in typical client configurations with
typical user configurations.  You hack it, you get to keep it.

Each has a file on them and it contains the instructions and how to 
claim the prize.

Targets (typical road-warrior clients):

        VAIO VGN-TZ37CN running Ubuntu 7.10
        Fujitsu U810 running Vista Ultimate SP1
        MacBook Air running OSX 10.5.2

This year's contest will begin on March 26th, and go during the 
presentation hours and breaks of the conference until March 28th. 
The main purpose of this contest is to present new vulnerabilities in 
these systems so that the affected vendor(s) can address them.
Participation is open to any registered attendee of CanSecWest 2008.

Once you extract your claim ticket file from a laptop (note that doing 
so will involve executing code on the box, simple directory traversal 
style bugs are inadequate), you get to keep it. You also get to 
participate in 3com / Tipping Point's Zero Day Initiative, with the top 
award for remote, pre-auth, vulnerabilities being increased this year.
Fine print and details on the cash prizes are available from 
TippingPoint's DVLabs blog (http://dvlabs.tippingpoint.com/). 
More fine print and rules for the contest will be found at 
the http://cansecwest.com/ site.

Quick Overview:

-Limit one laptop per contestant.
-You can't use the same vulnerability to claim more than one box, if it 
 is a cross-platform issue.
-Thirty minute attack slots given to contestants at each box.
-Attack slots will be scheduled at the contest start by the methods 
 selected by the judges.
-Attacks are done via crossover cable. (attacker controls default route)
-RF attacks are done offsite by special arrangement...
-No physical access to the machines.
-Major web browsers (IE, Safari, Konqueror, Firefox), widely used and 
 deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium, 
 Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird, 
 kmail) are all in scope.




Fine Print:

These computers are REAL and FULLY patched. All third party software is 
widely used. There are no imitation vulnerabilities. Any exploit 
successfully used in this contest would also compromise a significant 
percentage of Internet connected hosts.  Instead, players choose to use 
their exploits here, at CanSecWest PWN2OWN 2008.  All successful exploits 
will be turned over to the appropriate vendor and patched before details 
are made public.


Rules

1. Attacks remain confidential until prize is claimed

Players will connect to the targets with a crossover cable and we will
not record the network traffic or log anything other than what is done
by default.

Successful exploits can be delivered directly to Tipping Point after the 
we verify that you control the target.

In the event that internet connectivity is required (eg. IM clients)
we will put the target online behind a firewall. We won't sniff at the
firewall, but we can make no guarentees for upstream networks. (so be
careful what you send over the Internet!)

2. No wireless attacks in the conference area

Players with intent to use wireless attacks must inform us in advance.
We will relocate to a secluded, undisclosed location where there won't
be dozens of people watching the traffic.

3. One attacker per target at a time

As is obvious from rule #1 and rule #2, one player gets exclusive access 
to any target at one time.

4. Players take turns, no hogging the targets

Players are limited to 30 minutes per attempt. We will mercilessly 
disconnect your cable at the end of each attack slot. Be fast!
We will reboot the targets before each session begins.

5. First come, first served access to targets.

Players get in line for their turns and may take an unlimited number
of turns. If a player runs out of time and no one else is waiting for
access to the target he may continue for another turn. Players may not
have more than 1 turn in any 30 minute period. (That means we won't
reboot a target any time you feel like it)

6. Remote, pre-authentication attacks are required to win

Players may not physically touch the targets or look at the target's 
display. Players are required to demonstrate to our satisfaction that 
arbitrary code runs on the target.

7. Attackers control the default route for the target.

Players may become the target's default gateway in order to perform man 
in the middle attacks. 

8. Contest officials visit attacker web servers

Players may direct us to visit a web server running on the player's 
computer. Players may specify which browser to use.

Keep the URL reasonable. We're not going to type weird addresses in.
Once we hit enter that's it. We will not click on any links.

9. Contest officials read email from attackers

Autopreview (Preview panes, etc) is enabled on mail readers, but we will
not click on links contained therein or open attachments.

10. Contest officials will add attackers on IM and read their messages.

They will not click on links or open file transfers.

11. Client Application list:

The fully patched client-side applications that qualify for a prize includes:

.     Adobe PDF
.     Adobe Flash
.     Microsoft Silverlight
.     Microsoft Internet Explorer
.     Microsoft Outlook/Outlook Express
.     Firefox
.     Safari
.     iChat
.     Apple Mail
.     Skype
.     Adium
.     Pigdin
.     Kmail
.     Thunderbird
.     AOL, Yahoo!, and MSN official IM clients
.     Java/JRE

Other software may be added to this list at our discretion of if we
deem it represents a significant attack target on normal internet 
clients at large.

12. Winning exploits must be true 0day. 

They may not have already been submitted to the affected vendor or 
to third parties.

13. Each machine will be secured to common industry best practices:

We'll get Andrea Barisani from our Hardening Linux Dojo (which still 
has seats available :) to look over the Ubuntu machine, and the 
Microsoft/iSec/Core DTF folks to secure the Windows box, and Josh 
Ryder our local Mac zealot to look at the OSX wafer.

Special Thanks:

-LTC Ron Dodge, USMA, for agreeing to be in the hot seat as the judge.
-The folks at 3com Tipping Point ZDI for helping out.
-The folks at White Wolf Security for assistance in the design, prep, and
 running the challenge.

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada   March 26-28 - 2008    http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp