CanSecWest 2008 PWN2OWN - Mar 26-28
Calendar Notes:
===========
PacSec 2008 will be on November 12/13 in Tokyo at Aoyama Diamond Hall.
EUSecWest 2008 will be on May 21/22 at a fun new venue in central London.
(We cooked this schedule up so it will enable people to fly to Berlin on
the 23rd and make FX's ph-neutral on Saturday the 24th - which also
has a fun new venue. Island???!?)
The EUSecWest 2008 CFP opens tomorrow and closes _before_ April 1 :-).
EUSecWest registration is now open.
Announcing CanSecWest PWN2OWN 2008.
===================================
Three targets, all patched. All in typical client configurations with
typical user configurations. You hack it, you get to keep it.
Each has a file on them and it contains the instructions and how to
claim the prize.
Targets (typical road-warrior clients):
VAIO VGN-TZ37CN running Ubuntu 7.10
Fujitsu U810 running Vista Ultimate SP1
MacBook Air running OSX 10.5.2
This year's contest will begin on March 26th, and go during the
presentation hours and breaks of the conference until March 28th.
The main purpose of this contest is to present new vulnerabilities in
these systems so that the affected vendor(s) can address them.
Participation is open to any registered attendee of CanSecWest 2008.
Once you extract your claim ticket file from a laptop (note that doing
so will involve executing code on the box, simple directory traversal
style bugs are inadequate), you get to keep it. You also get to
participate in 3com / Tipping Point's Zero Day Initiative, with the top
award for remote, pre-auth, vulnerabilities being increased this year.
Fine print and details on the cash prizes are available from
TippingPoint's DVLabs blog (http://dvlabs.tippingpoint.com/).
More fine print and rules for the contest will be found at
the http://cansecwest.com/ site.
Quick Overview:
-Limit one laptop per contestant.
-You can't use the same vulnerability to claim more than one box, if it
is a cross-platform issue.
-Thirty minute attack slots given to contestants at each box.
-Attack slots will be scheduled at the contest start by the methods
selected by the judges.
-Attacks are done via crossover cable. (attacker controls default route)
-RF attacks are done offsite by special arrangement...
-No physical access to the machines.
-Major web browsers (IE, Safari, Konqueror, Firefox), widely used and
deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium,
Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird,
kmail) are all in scope.
Fine Print:
These computers are REAL and FULLY patched. All third party software is
widely used. There are no imitation vulnerabilities. Any exploit
successfully used in this contest would also compromise a significant
percentage of Internet connected hosts. Instead, players choose to use
their exploits here, at CanSecWest PWN2OWN 2008. All successful exploits
will be turned over to the appropriate vendor and patched before details
are made public.
Rules
1. Attacks remain confidential until prize is claimed
Players will connect to the targets with a crossover cable and we will
not record the network traffic or log anything other than what is done
by default.
Successful exploits can be delivered directly to Tipping Point after the
we verify that you control the target.
In the event that internet connectivity is required (eg. IM clients)
we will put the target online behind a firewall. We won't sniff at the
firewall, but we can make no guarentees for upstream networks. (so be
careful what you send over the Internet!)
2. No wireless attacks in the conference area
Players with intent to use wireless attacks must inform us in advance.
We will relocate to a secluded, undisclosed location where there won't
be dozens of people watching the traffic.
3. One attacker per target at a time
As is obvious from rule #1 and rule #2, one player gets exclusive access
to any target at one time.
4. Players take turns, no hogging the targets
Players are limited to 30 minutes per attempt. We will mercilessly
disconnect your cable at the end of each attack slot. Be fast!
We will reboot the targets before each session begins.
5. First come, first served access to targets.
Players get in line for their turns and may take an unlimited number
of turns. If a player runs out of time and no one else is waiting for
access to the target he may continue for another turn. Players may not
have more than 1 turn in any 30 minute period. (That means we won't
reboot a target any time you feel like it)
6. Remote, pre-authentication attacks are required to win
Players may not physically touch the targets or look at the target's
display. Players are required to demonstrate to our satisfaction that
arbitrary code runs on the target.
7. Attackers control the default route for the target.
Players may become the target's default gateway in order to perform man
in the middle attacks.
8. Contest officials visit attacker web servers
Players may direct us to visit a web server running on the player's
computer. Players may specify which browser to use.
Keep the URL reasonable. We're not going to type weird addresses in.
Once we hit enter that's it. We will not click on any links.
9. Contest officials read email from attackers
Autopreview (Preview panes, etc) is enabled on mail readers, but we will
not click on links contained therein or open attachments.
10. Contest officials will add attackers on IM and read their messages.
They will not click on links or open file transfers.
11. Client Application list:
The fully patched client-side applications that qualify for a prize includes:
. Adobe PDF
. Adobe Flash
. Microsoft Silverlight
. Microsoft Internet Explorer
. Microsoft Outlook/Outlook Express
. Firefox
. Safari
. iChat
. Apple Mail
. Skype
. Adium
. Pigdin
. Kmail
. Thunderbird
. AOL, Yahoo!, and MSN official IM clients
. Java/JRE
Other software may be added to this list at our discretion of if we
deem it represents a significant attack target on normal internet
clients at large.
12. Winning exploits must be true 0day.
They may not have already been submitted to the affected vendor or
to third parties.
13. Each machine will be secured to common industry best practices:
We'll get Andrea Barisani from our Hardening Linux Dojo (which still
has seats available :) to look over the Ubuntu machine, and the
Microsoft/iSec/Core DTF folks to secure the Windows box, and Josh
Ryder our local Mac zealot to look at the OSX wafer.
Special Thanks:
-LTC Ron Dodge, USMA, for agreeing to be in the hot seat as the judge.
-The folks at 3com Tipping Point ZDI for helping out.
-The folks at White Wolf Security for assistance in the design, prep, and
running the challenge.
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada March 26-28 - 2008 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp