PWN2OWN – hack the Big Four browsers in public and go home with half a million dollars


There are six weeks to go until the CanSecWest 2013 conference.

As the name suggests, it takes place at the left-hand end of Canada (left, at least, left on a traditional North-aligned map), in the delightful waterside city of Vancouver, British Columbia.

CanSecWest has become famous – notorious, even – for the hacking competition that takes place there: PWN2OWN.

The concept is simple: pwn a fully-patched browser running on a fully patched laptop (in other words, own it figuratively) and you get to keep the laptop (that is, to own it quite literally).

The hackerish verb pwn, pronounced pone, rhymes with blown, is a deliberate mis-spelling of own (O and P are adjacent on most keyboards). If you pwn something, notably something to do with computer security, it means you have defeated it; it is vanquished, overcome, bypassed, left in purposeless disarray, etc.

If you pwn my computer, you may also transitively claim to have pwned me, and, albeit with little justification, also my household, my coterie or even the company I work for.

You’ll also hear the word used metaphorically, beyond the context of computer hacking and intrusion, at least by techie types with a predilection for applying geeky sociolect to the real world. If you catch me out in a practical joke, for instance, or beat me in a card game such as Mystic Warlords of Ka-ah, you might exclaim aloud, “Pwned, dude.”

In the context of the PWN2OWN competition, the pwnership means that by merely browsing to untrusted web content, you’re able to inject and run arbitrary executable code.

In short, if this were the real world, you could pull off a drive-by install, where you bypass all intended protections, preventions and pop-up warnings from the browser and put malware on my computer.

In the dispassionate words of the competition rules:

A successful attack ... must require little or no user interaction and must demonstrate code execution.

The targets will be running on the latest, fully patched version of Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations. The vulnerabilities utilised in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win.

Last year, the competition suffered a schism when Google refused to put its Chrome product up for attack, claiming that the competition rules violated its own responsible disclosure policy.

In particular, winners only had to demonstrate the successful conclusions of their attacks, meaning they could pwn your browser, collect their prize, and walk off and sell the vulnerability as a zero-day (an as-yet undisclosed exploitable hole) to someone else.

That’s changed this year, with the rules clearly requiring responsible disclosure of the “how” of any winning vulnerability:

Upon successful demonstration of the exploit, the contestant will provide Sponsor a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all of the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prizes.

And you can’t sell your work to anyone else. To own the prize, you have to let HP, who are running the competition, pwn your work:

Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the proof of concept will become the property of HP.

Loosely speaking, HP will buy the winning exploits for its own use. The company isn’t stinting on the prize money, though. Indeed, with Google back inside the tent, adding an undisclosed amount to the prize fund, there’s a lot on offer.

The prizes follow a sliding scale that says a lot about how tough the organisers think each target platform will be:

This year, as you can see, prizes are on offer for attacks against browser-plus-plugin combinations, thus exposing Reader, Flash and Java to the PWN2OWN world for the first time.

You’ve got to feel sorry for Oracle.

A working exploit against its Java plugin worth just 20% of the value of an exploit against Redmond’s most recent browser.

Mozilla may be feeling a bit uncomfortable, too.

Pwnership of Firefox on Windows 7 is valued at only 60% of an attack against Google’s Chrome on the same platform.

And Apple’s Safari, the only browser that will be under attack on OS X, gets damned with faint praise at $65k.

Fancy your chances?

PWN2OWN certainly isn’t for the faint or half hearted.

Unlike a real-world penetration test, where you can look for low-hanging fruit, such as users with outdated software, or unmanaged computers with sub-standard configuration settings, you’re battling a properly set up system with the latest security patches applied.

Last year, a researcher called Pinky Pie needed to unleash a seven-step sequence, involving six independent vulnerabilities, to penetrate Google’s Chrome browser. (Google ran its own competition alongside PWN2OWN, for the reasons described above.)

Don’t forget, it isn’t all about the money. It’s also about a sense of intellectual achievement and of proactive contribution to the field of security research.

What am I saying? With $560,000 on the table, of course it’s about the money. But you do have to work for it.