VANCOUVER, BC — The first day of the CanSecWest Pwn2Own hacker
challenge wrapped up here today with a familiar face going after a
familiar target.
And, for the second year in a row, a German hacker known simply as
“Nils” exploited a previously unknown vulnerability in Mozilla Firefox
to take complete control of a 64-bit Windows 7 machine.
The successful exploit, which defeated ALSR+DEP on Windows 7, followed hacking attacks against Safari on Mac OS X, Internet Explorer 8 on Windows 7 and Apple’s iPhone device. There were no hacking attempts against Google Chrome.
Nils, a 26-year-old hacker who heads up the security research team
at U.K.-based MWR InfoSecurity, also planned to attack Apple’s Safari
browser but after Charlie Miller’s victory against that target, he did
not get an opportunity.
As per the contest rules, he was not allowed to disclose details
about the Firefox vulnerability — contest sponsor TippingPoint ZDI
owns the exclusive rights to that information — but in a Q&A
session with journalists here, Nils said the biggest challenge was
navigating the anti-exploit mitigations in Windows 7.
He used several tricks to bypass Address Space Layout Randomization
(ALSR) and Data Execution Prevention (DEP) to get his drive-by download
to load an executable on the target machine.
ASLR+DEP are held up as significant roadblocks to thwart malware
attacks on the newest versions of Windows but, as this contest shows,
skilled hackers with enough motivation and resources can bypass those
mitigations easily.
Nils said Mozilla can do a better job of opting into ASLR on
Windows, a clear hint that implementation errors make it easy to bypass
the Windows defenses.