If at first you don't succeed; call it version 1.0
Wednesday, 02 April 2008

I hate when things like this happen. You are too eager to succeed in something, and it eventually fails because of pure bad luck. This exactly what happened to me in CanSecWest's PWN2OWN contest.

I've heard that the second PWN2OWN contest will be held at CanSecWest, a week before the conference began. I couldn't attend the conference this year, but I did want to participate. So, I looked at my vulns arsenal, and picked one that looked pretty neat, was easy to exploit, and met the contest terms: the vulnerable application is AIM (a popular software client), exploiting the vulnerability allows remote code execution, and the neat thing is that the exploiting the vulnerability requires Man-In-The-Middle, which can be easily achieved by using the cool AirPwn tool.

The next thing was to look for an on-site trusted person, with enough skills to build the attack. Fortunately, I've been able to contact Steve Manzuik, who teamed up with AirPwn creator, Bryan Burns, to create the exploit.

Now that we were ready, the only thing that we waited for was the first day of the contest to arrive. Unfortunately, and this is where the bad luck begins, a day before the contest began Tipping Point have decided to change the rules. So now, instead of being able to participate in the contest from the first day, we had to wait for others to try and exploit the machine for a whole two days, before we can start.

Day 3 came. Vista machine was still up, MacBook air already gone, and my friends, Steve and Bryan, are waiting in line for the contest. One place before them in the line was the winner of last year's contest, Shane Macaulay. Rumors were that he had a working exploit. 10 minutes passed, nothing. 20 minutes, not a single word. After 30 minutes (the official limit for each turn), the word was out that there were some kind of hardware problems. Eventually, after few hours (??), with some help from his friends, Shane was able to get his Flash exploit working. Kudos to Shane, Alexander and Derek for winning!


Now I left with one little problem. What should I do with the AIM vulnerability. The way I see it, I have three choices:

1) Leave it as it is - Only Steve, Bryan and me will know about it, until eventually someone else will find it.

2) "Responsibly" disclose it - Send all the information to AOL, wait for a fix to be delivered, and then publish the technical stuff.

3) Full Disclosure - Inform AOL, and in parallel publicly disclose all the technical information.


I'm interested in what you think the best choice is. Please comment or send me an email with your thoughts. New ideas are also welcomed.

Wednesday, 02 April 2008 18:27:42 UTC | Comments [4] | Security#
Wednesday, 02 April 2008 19:16:48 UTC
I would report it to AOL. It is such a basic flaw on their part that they should probably be warned to fix it.

Friday, 04 April 2008 06:47:22 UTC
Full Disclosure, please.
And good luck in next year.

Friday, 04 April 2008 06:53:32 UTC
I think that you need to report it to AOL with the date that you are going to disclose it and give them a few days to fix it.
If they can't offer a fixed version until then - disclose it.
Friday, 04 April 2008 15:34:05 UTC
Disclose it. If it is a design issue or code issue that requires MITM, there is lower risk that it is going to be used for a mass Internet worm. Also, these types of issues are not as widely appreciated as they should be. If people are trusting server data then ding them for it. I am making assumptions about the bug here but given you prior postings, I am assuming that they are doing something stupid like downloading unsigned code from the server and running it blindly.
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.