It’s that time of the year again; that time of the year where news outlets get to indulge in sensationalist headlines about how Mac OS X got hacked in twenty seconds. Yes, CanSecWest just held its Pwn2Own contest again, and they fell like drunk 16-year-olds this time (don’t read too much into that one, please).
Lots of successful cracks this year: Internet Explorer 8 on Windows 7, Firefox 3.6 on Windows 7, iPhone OS 3.0, and Safari 4 on Mac OS X 10.6. Opera didn’t partake, and nobody even attempted to take on Google’s Chrome. Details of all the cracks and exploits will be handed over to the vendors involved; they won’t be made public until patched.
Little is known about the Safari 4 on Mac OS X 10.6 and Firefox 3.6 on Windows 7 cracks. We do know that the Safari one was performed by Charlie Miller, who has now won three Pwn2Own contests in a row. He came to the contest with 20 exploits in hand, which he found using a 5-line Python script, which he will detail tomorrow (oh, that’s today.).
“Tomorrow, I’m going to describe exactly how I found them, so hopefully that means Apple will replicate what I did and they’ll find my 20 [bugs] and probably a lot more,” Miller said, “Hopefully, they’ll keep doing that and improve their mechanisms of finding bugs as opposed to just slapping band-aids every time I send them email about what bug I have.”
We know a little more about the iPhone OS crack. Vincenzo Iozzo from security firm Zynamics and Ralf-Philipp Weinmann, a post-doctoral researcher at the University of Luxembourg, used an exploit in Safari to gain access to the text messages stored on the phone – even those that have been “deleted”. The interesting aspect here is that they managed to evade both the iPhone’s Data Execution Prevention as well as the fact that all code on the iPhone must be signed.
The Internet Explorer 8 on Windows 7 crack has also been detailed a little more. Peter Vreugdenhil, who works for Vreugdenhil Research here in The Netherlands, had to use two exploits to gain code execution on Windows 7, but with that, he managed to evade both Windows 7’s ASLR as well as its DEP – without using any third-party stuff.
It is important to note, however, that neither the IE8 nor the iPhone cracks managed to escape the OS-supplied sandboxes, meaning data could only be read, so they can’t be used to install malware or the like. Still, they can be useful in data theft.
Thom, this just goes to show you that you were wrong as ever when you said DEP and ASLR were never cracked. I know I pointed out before that this was not the case but now we have new exploit techniques that do not rely on third party code. It just goes to show that nothing is really secure. I don’t doubt that we will see the same results year after year.
Back then, they were indeed not yet cracked.
This is now.
That’s not rocket science.
Did you even read the article or anything I posted this time or last time? Both had been cracked for a while now. The new technique just doesn’t require a third party app like flash or java.
Microsoft always rolls huge marketing pushes before each release and almost every time reality comes out much more bleaker. The biggest ones I remember is:
* .NET pre-release marketing where .NET would be the new Internet and the new OS and everything (.NET was still nice but honest marketing would have said, “it’s like a bugfixed Java with generics”).
* Vista was hyped with stuff like WinFS, “buffer overflows are now history due to ASLR/DEP” and 10 second boot time (yes they said that!).
* Win7 was hyped as having as good perf as XP or sometimes better but in reality win7 is as slow as Vista and sometimes slower.
A lot of people, including Thom unfortunately, keeps buying into and repeating the hype instead of reviewing what’s _actually_ there.
Right now IE9 is hyped with comments like “same markup, same results” but we already know right now that Microsoft will only ship H264 so any HTML5 markup that uses the video element will not be “same markup, same results”. Also there will be no Acid3, they will still include the ActiveX security hole “feature” because of backwards compatibility.
IE9 will be too late, too slow and won’t render the modern web at the time it ships. IE9 will be used mostly by people who don’t know what a browser is etc (that of course unfortunately means IE9 will have a significant market share; http://www.youtube.com/watch?v=o4MwTvtyrUQ )
Ah, we’re back tot he pro-Microsoft accusations. I guess we got tired of the OSS-zealot accusations.
Edited 2010-03-26 10:04 UTC
If it makes you feel any better Thom I don’t think you’re a Microsoft zealot, I just think you’re wrong.
Ah…abraxas…FTW!
Edited 2010-03-26 16:18 UTC
*I* even managed to bust the ASLR on Vista (and Win7). It was as easy as finding a register that you could use to calculate the offset in memory. I believe that the implementation in Vista has been documented in “Hacking Exposed” or maybe it was “Shellcoders handbook”. Anyway, use the same principal and you bust ASLR in Win7.
And *I* am not even that good… just read a few books and copy-pasted some code just to try it, basically. I wouldn’t be surprised if ASLR and DEP has been “unofficially” cracked for a while by now. Probably Chrome as well. Never underestimate the blackhats. Though, gotta give it to the people in Pwn2Own. They are sure doing us all a favor by finding these exploits.
I’m just worried about the exploits out there that hasn’t been “officially” found yet.
By the way, are they using only vanilla installations? How about with antivirus/etc installed, is it just as easy for them?
Edited 2010-03-25 23:26 UTC
Agreed. Some people don’t seem to understand that blackhats and even security researches hoard exploits. I don’t doubt for a second that a lot of software that people use on a daily basis is exploitable and someone knows about it, and it is usually the wrong someone. People are living in fantasy land if they think their code is secure just because a security advisory hasn’t been released for it.
Edited 2010-03-26 00:36 UTC
There have been some great quotes from modern Mac Warriors. The ex CEO of Omni Wil Shipley had a poin of view about hacking security and privacy that essentially came down to being proud of the work you do and putting a lot of pride in it but do not expect that some new kids are not going to come over the hill and torch all that you did to secure your app (he was talking about serial numbers and SW piracy…) and he was right. We all might bee good or clever or some combo of both in a team. And our Opposing Force will be just a proud and clever when they hack or [K]rack or serve us old-heads. That is the only way that progress gets made.
I did a seminar a few years back with Jon Wolf Rentzch about code injections and fuzzing. I understood about half of it 3 years ago and I have picked up on half of what I didn’t know since then. It is one thing to think that this-patch or that-patch will fix anything.
At least with the Unixes and the Mac we do not have obvious WTF ‘features’ like exec bits set on tmp folders and – – Ooops by default we do have a lot of holes.
Hell unix used to be full of holes in the 70s and 80s and Microsoft used to be much worse. Someday it will be these guys bitching about 2014s new 0-day exploit
until then fight the good fight
DEP is 100% unbreakable if permissions are set correctly. And that’s not really difficult. The problem is that lately everybody and his hamster is playing with JIT which forces you to have code to set and unset permissions.
Even then, full ASLR should protect you from that. In this case the problem is that you can know where a function will be, at some point the OS or the program itself is giving out too much information. In any case, Windows ASLR is more complete than Linux’s; and MacOS X’s is even worse and only available in the latest version.
More importantly, the jail was broken, and each new exploit for IE8 finds a way of breaking it, so the people that rely mainly on jails instead of trying to prevent the code to run in the first place are the ones that should be getting really worried. Windows is on the right track by doing it all. Windows 7 is not your grandpa’s Windows 98.
Nothing remains unbreakable forever. Ever. That’s just the nature of computing. The harder security is implemented the more they will try, and succeed, to break it open. It’s the same with any type of security, not just computing. It’s startlingly close to the laws of the physical world, specifically that every action has an equal and opposite reaction.
There’s only one way to keep yourself completely safe online, and that is to use your own common sense. Sadly, it seems as though many people lack such a useful attribute these days and want the computer to do the thinking for them.
If you can bypass ASLR in Windows as was done, it doesn’t seem as though full ASLR (as Windows advocates say) is much better than the partial ASLR that Mac OS X has.
Charlie Miller said that Mac OS X is easier to hack than Windows 7 but it doesn’t seem that it’s more than a matter of degrees. Of course, they’re still attacking by browser, so apparently neither one has a direct opening.
It’s good enough, though, because some users will click on anything.
No it’s not. DEP prevents you from running code out of the stack or a data buffer, but you can still overwrite the return address on the stack to jump to an arbitrary point inside the code of the app itself or a library it uses. By carefully piecing together these fragments of code you can effectively do just about anything.
Now ASLR makes these kinds of attacks much more difficult (particularly on 64-bit systems) if implemented properly.
Well, of course DEP doesn’t protect you from a buffer overflow in VM code overwriting your BASIC program, from the CIA, or from you doing sudo evil script. Its target is clear, it makes data execution impossible.
If ASLR is applied on everything on loading the only way the attacker could know the address of important functions is intentionally revealing it or it not being very random in the first place. It would of course be better if the programs didn’t link-in the functions in the first place.
Buffer overflow exploits(even when the bug is present) are also a lot less likely if heap addresses are also randomized which Windows does at least to a degree if I can believe Wikipedia, but Linux, for example, doesn’t and gives you(by default) the same blocks over and over. You can predict where things will be.
So Windows has implemented good techniques but has other problems which invalidate them. They also have all the other ACLs, jails, managed code, etc. features, that execution prevention naysayers defend as the ultimate solution and that seem to be bypassed easily all the time, without using CPU bugs or whatnot. You see that in the exploits the part they boast about is always breaking EP.
The sudo evil script problem is unfortunately unsolvable, ars(I think) had an article recently on how people would *forward* spam. However, that doesn’t mean that exploit prevention is useless. Some people are less gullible than others; they deserve some protection even if it isn’t perfect. Maybe you didn’t notice, but we don’t have viruses anymore like in the 90s.
Windows caches and hands out the same blocks over and over too. It’s better for efficiency that way.
Funny, I guess I must be imagining all these XP machines people are still using that I *still* end up having to remove viruses from. Maybe you didn’t notice, but there aren’t a whole lot of consumers throwing away their three or four year old hardware for a Windows 7 machine and many of them don’t know how to upgrade or even that they should. Hell, some of them did upgrade and didn’t like it and what did they do? Back to XP… and back to virus hell. As long as XP survives, we will never be free of this.
Yes, we still do have those viruses.
Does anyone have the link to the said Python script? I think this is really interesting and would like to run it against some apps I wrote/I use. Maybe I can help improve software security of the open source desktop this way?
Does anyone have the link to the said Python script?
I’d also like to see it but just for purely academic reasons; I am still a beginner even when it comes to basic programming, but it’d still help me learn atleast something new
Better way would be learning TDD(test driven development) and using tools like Pex(look Microsoft research) when you program. I’m shocked how few people actually use something simple as TDD as principle on coding. It is so much easier find bug using white box testing than black box testing.
You are right.
Just as a small note. All programming languages I know have something like this. Smalltalk usually has this integrated and nearly Perl devs make heavy use of it. So there is no reason to not use it.
It also helps a lot when it comes to portability.
Honestly Chris Miller seems to have done his homework correctly and thoroughly. Now there are ways to tighten the OS and as a Mac guy I will stand by my tools and techniques. At the same time talking “Mac Security” to Mac users is like leading stupid horses to water. My favorite user(My Wife copy/pasted a link into Safari and pow ‘0wn3d’). No amount of code signing or address space randomization will replace solid understanding of what I am doing just good situational awareness. So the Next level of responsibility falls to Network Security, I hit the switch on the router. Then I checked my firewall logs and settings. Then I checked the logs on the Mac and the firewall again. It was trying to telnet her/our address book somewhere, that port was blocked, and now that address is blocked. If it hadn’t happened in real time I suppose I would only have theory on what I (as more than just a random end user/ my kids or carol in Accounting…) would do if my unhackable box got hacked.
Does this mean that I am safe or less safe on a Mac? or on a PC? or some FOSS/Linux? My wife kept asking me if we were safe. And I suppose that we still are basically as safe as we want to believe. And out in the world or on some open/unencrypted network – Well if it can happen at home (and a failed hack is just as good as a fire for me) then it can happen 100% easier on an uncontrolled network.
Atleast now no one is shout at ONLY Microsoft for buggier (unsecure) browser. Fact is all software are not secure by its own.
The only solution for this is, you be causious & secure rather than you relay on browsers, like limiting your self with only legitimate sites. As long as you are in the limit you are almost (99.99%) safe and not opening any mail attachment for until you are sure of what you are opening.
And you can’t let your guard down. The hackers are getting better at the social end of it. I like to believe I’m situationally aware, but I almost fell for a link from a friend on Facebook. Had I not seen someone else’s post about how these links led to some sort of virus, I would’ve been toast.
The trouble with only viewing legitimate sites, is that even legit sites can get hacked, or serve ads from third party sites…
The best thing to do, is isolate your browser from anything important you do, and use a niche browser running on a niche os (and proprietary things like flash severely hamper this)
I see that drunk dutch teens has the same healthy relationship to alcohol as swedish teens does.
The competition is fun but based on it’s rules, it can only highlight the researcher. They choose the single target to attempt and can not use the exploit against a second target.
What I’d like to see is a post-competition stage where the same exploit is tested against all browser/platform combinations. Find out and publish the full spectrum of vulnerable configurations. Are all current versions of Firefox vulnerable and across what platform installs rather than just 3.6.2 on osX.