MacBook Air cracked in 2 minutes at PWN to OWN Contest
The “Pwn to Own” Hacking Contest held last week was a security battle amongst 3 major operating systems – MacOS X Leopard, Windows Vista, and Ubuntu Linux. The 3-day hacking contest gives away $20,000 in cash and prizes to the first contestant to hack any of the 3 systems.
The goal is to hack a laptop via the operating system. First one to hack any of the laptops gets to bring it home:
- VAIO VGN-TZ37CN running Ubuntu 7.10
- Fujitsu U810 running Vista Ultimate SP1
- MacBook Air running OSX 10.5.2
The main purpose of this contest is to responsibly unearth new vulnerabilities within these systems so that the affected vendor(s) can address them.
To claim a laptop as your own, you will need to read the contents of a designated file on each system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs). Each laptop will only have a direct wired connection (exposed through a crossover cable) and only one person may attack each system at a time so that each team’s exploit remains private.
On the first day of the competition, all 3 laptops were unscathed. On the second day, the very first rig to be hack was surprisingly the MacBook Air (pwned in 2 minutes) via an undisclosed Safari browser vulnerability.
That On the last day, the Windows Vista machine was also cracked. At the end of the 3 day competition, only the Ubuntu box remained untouched.
All newly discovered vulnerabilities were reported to Apple and Microsoft respectively. More details about the competition on the Tipping Point blog.