PWN2OWN - hack the Big Four browsers in public and go home with half a million dollars

Filed Under: Apple Safari, Featured, Firefox, Google Chrome, Internet Explorer, Web Browsers

There are six weeks to go until the CanSecWest 2013 conference.

As the name suggests, it takes place at the left-hand end of Canada (left, at least, left on a traditional North-aligned map), in the delightful waterside city of Vancouver, British Columbia.

CanSecWest has become famous - notorious, even - for the hacking competition that takes place there: PWN2OWN.

The concept is simple: pwn a fully-patched browser running on a fully patched laptop (in other words, own it figuratively) and you get to keep the laptop (that is, to own it quite literally).

The hackerish verb pwn, pronounced pone, rhymes with blown, is a deliberate mis-spelling of own (O and P are adjacent on most keyboards). If you pwn something, notably something to do with computer security, it means you have defeated it; it is vanquished, overcome, bypassed, left in purposeless disarray, etc.

If you pwn my computer, you may also transitively claim to have pwned me, and, albeit with little justification, also my household, my coterie or even the company I work for.

You'll also hear the word used metaphorically, beyond the context of computer hacking and intrusion, at least by techie types with a predilection for applying geeky sociolect to the real world. If you catch me out in a practical joke, for instance, or beat me in a card game such as Mystic Warlords of Ka-ah, you might exclaim aloud, "Pwned, dude."

In the context of the PWN2OWN competition, the pwnership means that by merely browsing to untrusted web content, you're able to inject and run arbitrary executable code.

In short, if this were the real world, you could pull off a drive-by install, where you bypass all intended protections, preventions and pop-up warnings from the browser and put malware on my computer.

In the dispassionate words of the competition rules:

A successful attack ... must require little or no user interaction and must demonstrate code execution.

The targets will be running on the latest, fully patched version of Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations. The vulnerabilities utilised in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win.

Last year, the competition suffered a schism when Google refused to put its Chrome product up for attack, claiming that the competition rules violated its own responsible disclosure policy.

In particular, winners only had to demonstrate the successful conclusions of their attacks, meaning they could pwn your browser, collect their prize, and walk off and sell the vulnerability as a zero-day (an as-yet undisclosed exploitable hole) to someone else.

That's changed this year, with the rules clearly requiring responsible disclosure of the "how" of any winning vulnerability:

Upon successful demonstration of the exploit, the contestant will provide Sponsor a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all of the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prizes.

And you can't sell your work to anyone else. To own the prize, you have to let HP, who are running the competition, pwn your work:

Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept will become the property of HP.

Loosely speaking, HP will buy the winning exploits for its own use. The company isn't stinting on the prize money, though. Indeed, with Google back inside the tent, adding an undisclosed amount to the prize fund, there's a lot on offer.

The prizes follow a sliding scale that says a lot about how tough the organisers think each target platform will be:

This year, as you can see, prizes are on offer for attacks against browser-plus-plugin combinations, thus exposing Reader, Flash and Java to the PWN2OWN world for the first time.

You've got to feel sorry for Oracle.

A working exploit against its Java plugin worth just 20% of the value of an exploit against Redmond's most recent browser.

Mozilla may be feeling a bit uncomfortable, too.

Pwnership of Firefox on Windows 7 is valued at only 60% of an attack against Google's Chrome on the same platform.

And Apple's Safari, the only browser that will be under attack on OS X, gets damned with faint praise at $65k.

Fancy your chances?

PWN2OWN certainly isn't for the faint or half hearted.

Unlike a real-world penetration test, where you can look for low-hanging fruit, such as users with outdated software, or unmanaged computers with sub-standard configuration settings, you're battling a properly set up system with the latest security patches applied.

Last year, a researcher called Pinky Pie needed to unleash a seven-step sequence, involving six independent vulnerabilities, to penetrate Google's Chrome browser. (Google ran its own competition alongside PWN2OWN, for the reasons described above.)

Don't forget, it isn't all about the money. It's also about a sense of intellectual achievement and of proactive contribution to the field of security research.

What am I saying? With $560,000 on the table, of course it's about the money. But you do have to work for it.

, , , , , , , , , , , , , , ,

You might like

4 Responses to PWN2OWN - hack the Big Four browsers in public and go home with half a million dollars

  1. thegift73 · 449 days ago

    Looking forward to this years PWN2OWN. Should be pretty interesting although I can see Oracle and OS X getting spanked pretty quickly. What about mobile browsers though, are these also on the menu?

  2. James Edward Lewis · 449 days ago

    It's interesting that Opera isn't included.

    • JimboC_Security · 448 days ago

      Hi James Edward Lewis,

      That’s true Opera is not present . According to Wikipedia, it’s due to the browsers low market share. While that is partially true I would argue that it is still part of the 5 most popular browsers (as well as a large mobile user base)and should be included as a result. Trying to pwn Opera 64 bit would be an interesting challenge.

      As I mentioned in my comment yesterday (which was not published for some strange reason) I look forward to Pwn2Own each year. The more browsers and operating systems that are pwned the better since we can all benefit from the patches that are then designed to prevent such attacks in the future.

      This year’s contest should be particularly interesting since it has returned to its previous and more ethical full disclosure of any security flaw found as well as also targeting browser plugins.

      I wonder if Vupen will use a variant of its Windows 8 exploit that it announced back in late October last year? I also wonder about Adobe Reader XI if any exploit can pwn it (especially since a working exploit was demoed by the Group-IB security firm in November last year).

      Thank you.

  3. roy jones jr · 443 days ago

    I'm only interested in preventing the vulnerabilities. Takes too much manpower to try to bring the stuff unless you were already doing that sort of stuff in high school and above.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog