MacBook Air cracked in 2 minutes at PWN to OWN Contest

The “Pwn to Own” Hacking Contest held last week was a security battle amongst 3 major operating systems – MacOS X Leopard, Windows Vista, and Ubuntu Linux. The 3-day hacking contest gives away $20,000PHP 1,173,710INR 1,694,996EUR 19,046CNY 145,566 in cash and prizes to the first contestant to hack any of the 3 systems.

The goal is to hack a laptop via the operating system. First one to hack any of the laptops gets to bring it home:

• VAIO VGN-TZ37CN running Ubuntu 7.10
• Fujitsu U810 running Vista Ultimate SP1
• MacBook Air running OSX 10.5.2

The main purpose of this contest is to responsibly unearth new vulnerabilities within these systems so that the affected vendor(s) can address them.

To claim a laptop as your own, you will need to read the contents of a designated file on each system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs). Each laptop will only have a direct wired connection (exposed through a crossover cable) and only one person may attack each system at a time so that each team’s exploit remains private.

On the first day of the competition, all 3 laptops were unscathed. On the second day, the very first rig to be hack was surprisingly the MacBook Air (pwned in 2 minutes) via an undisclosed Safari browser vulnerability. That On the last day, the Windows Vista machine was also cracked. At the end of the 3 day competition, only the Ubuntu box remained untouched.

All newly discovered vulnerabilities were reported to Apple and Microsoft respectively. More details about the competition on the Tipping Point blog.