Pwn2Own 2010

[begood]

The TippingPoint Zero Day Initiative (ZDI) is proud to announce that the annual Pwn2Own contest is back again this year at the CanSecWest security conference held in Vancouver, BC on March 24th 2010. As the contest name implies, if you successfully exploit a target you get to keep it along with a ZDI cash prize and related benefits. This is our 4th year running and to commemorate we have increased the total cash prize amount to $100,000 USD. If you're unfamiliar with the past history of this competition check out the archived 2008 and 2009 blog entries.

This year the competition will have two main technology targets. In keeping with tradition the first portion of the event will attempt to bring to light the current security posture of market-leading web browser and operating system pairings. The multifaceted web browser continues to occupy a critical presence on the client-side attack surface. As Adobe, Google, and an estimated 30 other companies affected in the Aurora incident can attest to, the security posture of these products merits a yearly public evaluation by the research community at large.

The second portion of Pwn2Own 2010 offers bounties for vulnerabilities affecting mobile phones. The increased presence and capabilities of smart phones has brought with it the same security issues and attention traditionally reserved for non hand-held platforms. Vulnerabilities in parsing media, dynamic web content, e-mail, and other client-side issues have been published in the past. Additionally, many of the communication protocols that mobile phones implement are the focus of a burgeoning field of security research (ex: Lackey, Langlois, Bailey). The data stored and communicated across these devices is increasing in value to attackers.

Registration

Pwn2Own will be held over the course of three days starting on March 24th with the browser and the mobile contests running concurrently. To register for the competition, send us an e-mail at ZDI@tippingpoint.com. Competitors will be assigned a random half hour time slot.

Following the Contest

This blog entry will be updated frequently and serve as the main point of information dissemination. Additionally, you can get real-time updates and provide real-time feedback via our ZDI Twitter account @theZDI.

Please direct all press inquiries to: Jennifer Lake <jlake@tippingpoint.com>

Target: Web Browsers

$40,000 of the total $100,000 cash prize pool is allotted to the web browser portion of the contest, each target is worth $10,000. The browser targets this year will include the latest versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari.

To highlight the efficacy of operating system level protections we have structured the ZDI bonus point amounts to reflect the difficulty of exploitation. Once a target has been successfully compromised it will be removed from the competition. Thus, a successful day one attack on a specific browser must overcome the latest and greatest flagship operating system with all exploit mitigations activated in their default state.

Day 1

The target pairings for day one are:

* Microsoft Internet Explorer 8 on Windows 7

* Mozilla Firefox 3 on Windows 7

* Google Chrome 4 on Windows 7

* Apple Safari 4 on MacOS X Snow Leopard

In addition to the underlying laptop and $10,000 USD cash prize, successful competitors on day one receive 20,000 ZDI bonus points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.

Day 2

The target pairings for day two are:

* Microsoft Internet Explorer 7 on Windows Vista

* Mozilla Firefox 3 on Windows Vista

* Google Chrome 4 on Windows Vista

* Apple Safari 4 on MacOS X Snow Leopard

In addition to the underlying laptop and $10,000 USD cash prize, successful competitors on day two receive 15,000 ZDI bonus points which immediately qualifies them for Bronze standing. Benefits of ZDI Bronze standing include a one-time $1,000 USD cash payment and a 10% monetary bonus on all ZDI submissions in 2011.

Day 3

The target pairings for day three are:

* Microsoft Internet Explorer 7 on Windows XP

* Mozilla Firefox 3 on Windows XP

* Google Chrome 4 on Windows XP

* Apple Safari 4 on MacOS X Snow Leopard

In addition to the underlying laptop and $10,000 USD cash prize, successful competitors on day three receive 9,999 ZDI bonus points which puts them just one ZDI submission away from Bronze standing for the year ;-)

Target: Mobile Phones

$60,000 of the total $100,000 cash prize pool is allotted to the mobile phone portion of the contest, each target is worth $15,000. A successful hack on these targets must result in code execution with little to no user-interaction. Expect updates on the rules as the contest approaches. The current target list is as follows:

* Apple iPhone 3GS

* RIM Blackberry Bold 9700

* A Nokia device running Symbian S60 (likely the E62)

* A Motorola phone running Android (likely the Droid)

In addition to the mobile device and $15,000 USD cash prize, successful competitors will receive 20,000 ZDI bonus points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.

Any non remote code execution entries accepted by the judges reduces the point giveaway to 9,999 ZDI bonus points which puts the competitor just one ZDI submission away from Bronze standing for the year ;-)

Happy hunting

TippingPoint | DVLabs | Pwn2Own 2010