• United States



Conference’s Mac Hack contest a three-way race this year.

Mar 18, 20085 mins
Data and Information Security

Organizers of the CanSecWest conference happening in Vancouver next week have re-introduced their Mack Hack contest. Only this year, it’s a three-way race. Here are the rules, as explained by Dragos Rui, the conference’s organizer.

Announcing CanSecWest PWN2OWN 2008.


Three targets, all patched.  All in typical client configurations with

typical user configurations.  You hack it, you get to keep it.

Each has a file on them and it contains the instructions and how to

claim the prize.

Targets (typical road-warrior clients):

         VAIO VGN-TZ37CN running Ubuntu 7.10

         Fujitsu U810 running Vista Ultimate SP1

         MacBook Air running OSX 10.5.2

This year’s contest will begin on March 26th, and go during the

presentation hours and breaks of the conference until March 28th.

The main purpose of this contest is to present new vulnerabilities in

these systems so that the affected vendor(s) can address them.

Participation is open to any registered attendee of CanSecWest 2008.

Once you extract your claim ticket file from a laptop (note that doing

so will involve executing code on the box, simple directory traversal

style bugs are inadequate), you get to keep it. You also get to

participate in 3com / Tipping Point’s Zero Day Initiative, with the top

award for remote, pre-auth, vulnerabilities being $25k. More fine print

and details on the cash prizes are available from TippingPoint’s DVLabs

blog ( More fine print and rules for

the contest will be found at the site.

Quick Overview:

-Limit one laptop per contestant.

-You can’t use the same vulnerability to claim more than one box, if it

is a cross-platform issue.

-Thirty minute attack slots given to contestants at each box.

-Attack slots will be scheduled at the contest start by the methods

selected by the judges.

-Attacks are done via crossover cable. (attacker controls default route)

-RF attacks are done offsite by special arrangement…

-No physical access to the machines.

-Major web browsers (IE, Safari, Konqueror, Firefox), widely used and

deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium,

Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook,, Thunderbird,

kmail, mutt) are all in scope.

Fine Print:

These computers are REAL and FULLY patched. All third party software is

widely used. There are no imitation vulnerabilities. Any exploit

successfully used in this contest would also compromise a significant

percentage of Internet connected hosts.  Instead, players choose to use

their exploits here, at CanSecWest PWN2OWN 2008.  All successful exploits

will be turned over to the appropriate vendor and patched before details

are made public.


1. Attacks remain confidential until prize is claimed

Players will connect to the targets with a crossover cable and we will

not record the network traffic or log anything other than what is done

by default.

Successful exploits can be delivered directly to Tipping Point after the

we verify that you control the target.

In the event that internet connectivity is required (eg. IM clients)

we will put the target online behind a firewall. We won’t sniff at the

firewall, but we can make no guarantees for upstream networks. (so be

careful what you send over the Internet!)

2. No wireless attacks in the conference area

Players with intent to use wireless attacks must inform us in advance.

We will relocate to a secluded, undisclosed location to test.

3. One attacker per target at a time

As is obvious from rule #1 and rule #2, one player gets exclusive access

to any target at one time.

4. Players take turns, no hogging the targets

Players are limited to 30 minutes per attempt. We will mercilessly

disconnect your cable at the end of each attack slot. Be fast!

We will reboot the targets before each session begins.

5. First come, first served access to targets.

Players get in line for their turns and may take an unlimited number

of turns. If a player runs out of time and no one else is waiting for

access to the target he may continue for another turn. Players may not

have more than 1 turn in any 30 minute period. (That means we won’t

reboot a target any time you feel like it)

6. Remote, pre-authentication attacks are required to win

Players may not physically touch the targets or look at the target’s

display. Players are required to demonstrate to our satisfaction that

arbitrary code runs on the target.

7. Attackers control the default route for the target.

Players may become the target’s default gateway in order to perform man

in the middle attacks.

8. Contest officials visit attacker web servers

Players may direct us to visit a web server running on the player’s

computer. Players may specify which browser to use.

Keep the URL reasonable. We’re not going to type weird addresses in.

Once we hit enter that’s it. We will not click on any links.

9. Contest officials read email from attackers

Auto-preview (Preview panes, etc) is enabled on mail readers, but we will

not click on links contained therein or open attachments.

10. Contest officials will add attackers on IM and read their messages.

They will not click on links or open file transfers.

11. Client Application list:

The fully patched client-side applications that qualify for a prize includes:

.     Adobe PDF

.     Adobe Flash

.     Microsoft Silverlight

.     Microsoft Internet Explorer

.     Microsoft Outlook/Outlook Express

.     Firefox

.     Safari

.     iChat

.     Apple Mail

.     Skype

.     Adium

.     Pigdin

.     Kmail

.     Thunderbird

.     Evolution

.     mutt

.     AOL, Yahoo!, and MSN official IM clients

.     Java/JRE

Other software may be added to this list at our discretion of if we

deem it represents a significant attack target on normal internet

clients at large.

12. Winning exploits must be true 0day.

They may not have already been submitted to the affected vendor or

to third parties.

13. Each machine will be secured to common industry best practices.

We’ll get Andrea Barisani from our Hardening Linux Dojo (which still

has seats available 🙂 to look over the Ubuntu machine, and the

Microsoft/iSec/Core DTF folks to secure the Windows boxes, and Josh

Ryder our local Mac zealot to look at the OSX wafer.

Special Thanks:

-LTC Ron Dodge, USMA, for agreeing to be in the hot seat as the judge.

-The folks at 3com Tipping Point ZDI for helping out.

-The folks at White Wolf Security for assistance in the design, prep,

 and running the challenge.

–Robert McMillan