Focus on Apple
PWN to OWN at CanSecWest Mar 29 2007 12:45AM
mfossi securityfocus com (1 replies)
RE: PWN to OWN at CanSecWest Mar 29 2007 12:02PM
Don Rhodes (drhodes mail colgate edu) (1 replies)
Re: PWN to OWN at CanSecWest Mar 29 2007 04:31PM
Dave Schroeder (das doit wisc edu) (2 replies)
Re: PWN to OWN at CanSecWest Mar 29 2007 09:53PM
Dragos Ruiu (dr kyx net) (1 replies)
Re: PWN to OWN at CanSecWest Mar 29 2007 10:10PM
Dave Schroeder (das doit wisc edu)

On Mar 29, 2007, at 4:53 PM, Dragos Ruiu wrote:

>> I'll qualify that with this: they did say the rules would be
>> "progressive", and I take that to mean that they'll perhaps be doing
>> something like enabling more services or removing barriers as time
>> goes on. Certainly there could be a vulnerability in a service that
>> ships with Mac OS X. Personally, I have my eye on Bonjour, especially
>> since mDNSResponder runs as root...
>
> By "progressive" we mean:
>
> First day you have to go in over ethernet or wifi.

Ok, so this is purely remote, then...what services will be enabled?

> On the first box default user compromise is enough. You'll
> need priviledge escalation and a root compromise for the second one.

Ok, and we already know there are unpublished local root escalation
vulns still outstanding on Mac OS X, since the one that was used in
the "rm my mac" challenge that caused me to do my challenge has never
been reported to Apple to date.

So all someone has to do is be in the group of folks that has access
to one of these, and be an CanSecWest. Here's a kicker: are you going
to require that the person disclose their mechanism, and report the
vulnerability to Apple?

> The victory conditions are to scp a specific file on the disk using
> the
> preshared key stored there to a server,
>
> If they last to the second day... then the second day brings browser
> bugs into scope. Safari will be set up to scrape a wiki page every
> five minutes or so (and to follow a changeable link there).
>
> The last day will bring in mail.app polls and three pane preview, and
> allow physical connections to the boxes... this will probably be
> only USB,
> as Firewire is TOO easy :).

Ok, these, then, really aren't what a lot of people already think the
PWN to OWN challenge is, for what it's worth...it's being reported as
a purely REMOTE ONLY affair, so if there is a winner on day 2 or 3,
many people will probably end up (wrongly) assuming that the machines
were owned remotely over the network with no other type of access.

I hope that whatever mechanism, if any, used to own the machines is
clearly described and documented, especially with regard to the
inevitable press contacts that will occur.

> We are not going to denature any security, and make this easier, but
> we will expand the attack surface by bringing in typical user
> activities.

I think these attack vectors are valid and interesting, but VERY
different from remote attacks.

> We'll try to post the detailed rules in the next two weeks.

Thanks for your response!

- Dave0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?,0?ô0?] DM0
 *?H?÷
0S1 0 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷
0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??£?0?0Uÿ?0U?RRbG,k,¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0Uÿ0ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷
%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z?? d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?00?? 
0
 *?H?÷
0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
060921213052Z
070921213052Z0¾1 0 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!U Faculty - Staff - Students10UDavid Schroeder1 0 *?H?÷
 das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷
0????èöÆ?³G¡J[ ¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹£p0n0Uÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,¸iñ©7,#$0
 *?H?÷
¯?Ïè®`:ÍDD?¼7µ(?AÞÈæZ_?ÙxmæÀ!ÖÓr?óÌ~X²8Ưâ"ô0%¶Â¸:Â!Í?ü?KË
CÏ?6õëÒ?5Ѭ?
:Ñat¡q"ٝöï­ÍA???±},ߪ&KÐ]9ev¬ëgxDEåð·Ë1?â0?Þ00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0 + ?§0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
070329221041Z0# *?H?÷
 1á䯫sªÄ»1Ëü?¢ç¢¢ ­V0¡ +?71?00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0£ *?H?÷
  1? 0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0
 *?H?÷
??9^?? 6â]¼,[«¡s¤¡âµùÔB
o¬?w Üémܦ?0Í|?#-Î??¢h?6ÙþÝöùvüNØ
MßM\ÙV-ÀSOPÊa·þÿ¼q,õòÕÃ]u´.]¯Ò#?®³øðó?õÍQ"üV"ý?'û,?²

[ reply ]
Re: PWN to OWN at CanSecWest Mar 29 2007 09:40PM
matthew patton (pattonme yahoo com) (2 replies)
Re: PWN to OWN at CanSecWest Mar 30 2007 12:33PM
Jeramey Valley (ValleyJR mps k12 mi us)
Re: PWN to OWN at CanSecWest Mar 29 2007 10:49PM
Eric Hall (securityfocus darkart com) (1 replies)
Re: PWN to OWN at CanSecWest Mar 29 2007 10:00PM
John Smith (genericjohnsmith gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus