Rules of the Hack2Own Competition at PHDays 2012

There’s little time left before Positive Hack Days 2012. Online competitions, which raffle off invitations to the forum, are in full swing. Yet, the most interesting events will happen at the forum’s platform in the Digital October Center. A legendary competition Hack2Own will be one of the highlights of the program.

In 2011 the of Hack2Own winners were Nikita Tarakanov and Alexander Bazhanyuk, representatives of the CISSRT team, who demonstrated 0day vulnerability (CVE-2011-0222) in the latest version of Safari (Internet browser) for Windows and took the first prize, namely, a laptop and 50,000 rubles. This year the budget of the competition has been significantly increased up to 20,000 $. The winners will have enough money to fill the new cases with :)

This competition is divided into three categories: exploitation of web browser vulnerabilities, exploitation of kernel vulnerabilities, and exploitation of vulnerabilities in mobile devices. Detailed rules of participation are under the cut.

Attention! A laptop is required to participate in the competition.

Why do we need it?

We just want to make this world securer. We strive for promoting ideas of responsible disclosure of vulnerabilities. That is why the competition has an important condition: a participant who detected a vulnerability should inform the software vendor within 6 months from the moment of its detection.

Hacking Web Browsers. Rules

In every round, attacks should be conducted against one of the specified browsers; the organizers follow the link provided by a participant. Only one attack vector can be used in each round. Having succeeded in the first round, a participant takes the first prize; in the second round, the second prize. Likewise, the third prize is given for the in the third. A participant will succeed if after conducting a remote attack against a client he or she will be able to launch an application on client’s operating system. The organizers reserve the right to lower a participant’s rating depending on the type of vulnerability used and its exploitation conditions (involvement of interaction with a user, attack development limitations and other conditions affecting CVSS severity).

Software for Exploitation

First round: Microsoft Internet Explorer 9, Google Chrome 19.0.1084, Mozilla Firefox 12.

Second round: Microsoft Internet Explorer 8/9, Mozilla Firefox 10/11/12, Google Chrome 16/17/18/19, Opera 11/12, Apple Safari 5.0/5.1.1/5.1.2.

It is permitted to exploit the latest versions of typical third-party browser components in the third round: Adobe Flash Player (11.2.202.235), Adobe Reader (10.1.3), Java (7 update 4). The list of browsers for the third round is identical to the list for the second one.

Platforms Used

First round — Windows 7 Service Pack 1 (x64). Second and third rounds: Windows 7 Service Pack 1 (x64/x86) and Windows XP SP3 (x86).

Participation Terms

All the preregistered specialists can participate in the competition. Please send your applications to phdcontests@ptsecurity.com. The last day of the registration is May 28, 2012. Specify the participant’s name, target browser, and an attack vector. The organizers of the competition reserve the right to refuse a candidate in case he or she fails to prove his or her competence to handle the issues the competition is based on.

Prizes

1^st place – 137,000 Russian rubles

2^nd place – 75,137 Russian rubles

3^rd place – 50,137 Russian rubles

If several participants of the competition claim the same place, the winner will be decided by expert evaluation of the exploit technical characteristics (exploitation complexity, stability, etc.).

Participants of the competition can visit all events of Positive Hack Days for free.

Technical Details

Versions of systems and applications used in the competition are finally settled not less than two weeks before the beginning of the forum. The relevant information will be published on the PHDays 2012 web site (http://www.phdays.com). After every exploitation attempt the operating system will be restored to its original state. The competitors should bring their own software needed for conducting the attack. Wireless or wired network connection will be provided.

Hacking Mobile Devices. Rules

Only one device can be attacked in a round using one attack vector; the organizers of the competition follow the link provided by a participant of the competition. In case of success in the first round, a participant takes the first prize, in case of success in the second or the third round – the second or the third prize respectively. After every exploitation attempt the operating system will be restored to its original state. A participant will succeed if after conducting a remote attack against a device he or she will be able to launch an application on that device. The organizers reserve the right to lower a participant’s rating depending on the type of vulnerability used and exploitation conditions (necessity of interaction with a user, attack development limitations and other conditions affecting CVSS severity). 

 

Participation Terms

All the preregistered specialists can participate in the competition. Please send your applications to phdcontests@ptsecurity.com. The last day of the registration is May 28, 2012. Specify the participant’s name, the target operating system, device’s type (tablet or smartphone) and an attack vector. The organizers of the competition reserve the right to refuse a candidate in case he or she fails to prove his or her competence to handle the issues the competition is based on.

Prizes

1^st place – 137,000 Russian rubles

2^nd place – 75,137 Russian rubles + iPhone 4s

3^rd place – 50,137 Russian rubles

If several participants of the competition claim the same place, the winner will be decided by expert evaluation of the exploit technical characteristics (exploitation complexity, stability, etc.).

Participants of the competition can visit all events of Positive Hack Days for free. Positive Technologies (the PHDays organizer) and the sponsors of the forum provide prizes and gifts for all participants of the competition.

Platforms Used

First round: iOS 5.1.1 (tablet/smartphone) or Android 4.0.4 (tablet/smartphone)

Second round: iOS 5.1.1 (tablet/smartphone) or Android 4.0.4 (tablet/smartphone) + well-known software of a third-party manufacturer (to be discussed with the organizers at the registration stage)

Third round: iOS 5.0 (tablet/smartphone) or Android 3.0 (tablet), Android 2.3 (smartphone)

Technical Details

Versions of the software used in the competition are finally settled not less than two weeks before the beginning of the forum. The relevant information will be published on the PHDays 2012 web site (http://www.phdays.com). Devices with the default out-of-the-box configuration are used in the competition, except for configurations necessary to organize a network connection. After every vulnerability exploitation attempt the device will be rebooted and restored to its original state.

A standard attack vector implies a visit to a specially crafted site via a default browser of a device. If other attack vectors are used (receiving of SMS/MMS, viewing e-mail messages, etc.), a participant should specify this information in the application for the competition.

The competitors should bring their own software and hardware needed for conducting attacks. Wireless or wired network connection will be provided.

Exploiting Kernel Vulnerabilities. Rules

Every participant will be able to demonstrate exploitation of OS kernel vulnerabilities. An exploit offered by a candidate should give an unprivileged user a possibility to increase his or her system privileges up to a superuser level.

In every round, attacks should be conducted against one of the specified platforms; the organizers of the competition launch an executable file provided by a participant. Only one attack vector can be used in a round. In case of success in the first round, a participant takes the first prize, in case of success in the second or the third round – the second or the third prize respectively. A participant will succeed if he or she increases privileges from the level of an unprivileged user to the maximum privilege level of the system. The organizers reserve the right to lower a participant’s rating depending on the type of a vulnerability used and exploitation conditions (necessity of interaction with a user, attack development limitations and other conditions affecting CVSS severity).

Platforms Used

First round: 

                Windows 7 Service Pack 1 (x64);

                Windows Server 2008 SP2 (x64);

                Debian Linux 3.3.5;

                FreeBSD 9.0;

                OpenBSD 5.1;

                OS X 10.7.4.

Second round: 

                Windows 7 Service Pack 1 (x86);

                Windows Server 2003 SP2;

                Windows XP SP3 (x86);

                Debian Linux 2.6.32-45;

                FreeBSD 8.0;

                OpenBSD 5.0;

                OS X 10.7.1.

Third round: the platforms are identical to those of the first round. It is possible to use well-known security software (antiviruses, HIPS, etc.) of a third-party vendor (to be discussed with the organizers at the registration stage).

Participation Terms

All the preregistered specialists can participate in the competition. Please send your applications to phdcontests@ptsecurity.com. The last day of the registration is May 28, 2012. Specify the participant’s name, and the target platform. The organizers of the competition reserve the right to refuse a candidate in case he or she fails to prove his or her competence to handle the issues the competition is based on.

Prizes

1^st place – 75, 000 Russian rubles

2^nd place – 50,000 Russian rubles

3^rd place – 30,000 Russian rubles

If several participants of the competition claim the same place the winner will be decided by expert evaluation of the exploit technical characteristics (exploitation complexity, stability, etc.).

Participants of the competition can visit all events of Positive Hack Days for free.

Technical Details

Platforms versions used in the competition are finally settled not less than two weeks before the beginning of the forum. The relevant information will be published on the PHDays 2012 web site (http://www.phdays.com). After every vulnerability exploitation attempt the operating system will be restored to its original state. The competitors should bring their own software needed for conducting attacks.

Information on the detected vulnerabilities should be disclosed using one of the following ways:

• providing a software vendor with a detailed description of detected vulnerabilities;
• communicating information on the vulnerabilities to CERT;
• communicating information on the vulnerabilities via UpSploit;
• communicating information on the vulnerabilities by means of participation in other official programs of remuneration for detected vulnerabilities such as Zero Day Initiative.