If at first you don't succeed; call it version 1.0
Wednesday, April 02, 2008

I hate when things like this happen. You are too eager to succeed in something, and it eventually fails because of pure bad luck. This exactly what happened to me in CanSecWest's PWN2OWN contest.

I've heard that the second PWN2OWN contest will be held at CanSecWest, a week before the conference began. I couldn't attend the conference this year, but I did want to participate. So, I looked at my vulns arsenal, and picked one that looked pretty neat, was easy to exploit, and met the contest terms: the vulnerable application is AIM (a popular software client), exploiting the vulnerability allows remote code execution, and the neat thing is that the exploiting the vulnerability requires Man-In-The-Middle, which can be easily achieved by using the cool AirPwn tool.

The next thing was to look for an on-site trusted person, with enough skills to build the attack. Fortunately, I've been able to contact Steve Manzuik, who teamed up with AirPwn creator, Bryan Burns, to create the exploit.

Now that we were ready, the only thing that we waited for was the first day of the contest to arrive. Unfortunately, and this is where the bad luck begins, a day before the contest began Tipping Point have decided to change the rules. So now, instead of being able to participate in the contest from the first day, we had to wait for others to try and exploit the machine for a whole two days, before we can start.

Day 3 came. Vista machine was still up, MacBook air already gone, and my friends, Steve and Bryan, are waiting in line for the contest. One place before them in the line was the winner of last year's contest, Shane Macaulay. Rumors were that he had a working exploit. 10 minutes passed, nothing. 20 minutes, not a single word. After 30 minutes (the official limit for each turn), the word was out that there were some kind of hardware problems. Eventually, after few hours (??), with some help from his friends, Shane was able to get his Flash exploit working. Kudos to Shane, Alexander and Derek for winning!

 

Now I left with one little problem. What should I do with the AIM vulnerability. The way I see it, I have three choices:

1) Leave it as it is - Only Steve, Bryan and me will know about it, until eventually someone else will find it.

2) "Responsibly" disclose it - Send all the information to AOL, wait for a fix to be delivered, and then publish the technical stuff.

3) Full Disclosure - Inform AOL, and in parallel publicly disclose all the technical information.

 

I'm interested in what you think the best choice is. Please comment or send me an email with your thoughts. New ideas are also welcomed.


Wednesday, April 02, 2008 6:27:42 PM UTC | Comments [4] | Security#
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.