Three different hackers found 'Pwn To Own' bug

Contest winner not the first to report flaw, but that's OK, says TippingPoint

The Flash vulnerability used to hijack a Windows Vista laptop during last month's "PWN To OWN" hacker challenge was independently uncovered by two other researchers, one who noted it nearly five months ago, the company that paid the contest prize money said today.

"Vulnerabilities are found by multiple researchers all the time, all across the globe," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint subsidiary. TippingPoint put up the cash prizes awarded during the PWN To OWN contest held March 26-28 at the CanSecWest security conference.

"Here we have three different people with three different motivations," Forslof added.

In a post to the TippingPoint blog, Forslof spelled out the multiple, though not simultaneous, discoveries of the Flash Player bug.

November 12, 2007: David Maynor, a noted security researcher with consulting firm Errata Security, posted screenshots of a crash analysis in Flash. Maynor speculated at the time that it might be an "unexploitable double free," referring to "double free" errors caused when the free() function is called more than once with the same memory address as an argument.

Forslof said that Errata, which produces penetration-testing tools, subsequently uncovered an exploitable Flash bug, then came up with an exploit that it added to its testing tools.

"I confirmed after the release of Adobe's patch that the vulnerability discovered and eluded to on the blog post was, indeed, the same vulnerability used in the PWN to OWN contest," said Forslof.

February 7, 2008: Another researcher submitted the same vulnerability to TippingPoint's Zero Day Initiative (ZDI), one of the two major bug-bounty programs currently in operation. The ZDI advisory, posted Tuesday to coincide with the patched update to Flash Player, identified the researcher as Javier Vicente Vallejo.

"He was the first to report it to us," said Forslof.

March 28, 2008: Shane Macaulay, assisted by two other researchers, used the same vulnerability in Flash to hack a Fujitsu notebook running Windows Vista SP1, one of three machines up for grabs in the PWN To OWN challenge.

But if Macaulay was the third to discover the bug, and the second to report it to TippingPoint, why did ZDI cut him a prize check for $5,000, essentially paying twice for the same vulnerability?

"It was within the rules and realm of the contest," Forslof explained. And even if it hadn't been, it would have been likely Macaulay would have gotten something. "We have this situation all the time, when someone reports a vulnerability that we already have purchased," Forslof said. "What we do, generally we will offer a sum of money [to the second researcher] to turn over the rights to the vulnerability to insure the protection of the information for the vendor."

TippingPoint reports vulnerabilities it purchases, including those it acquired at this year's PWN To OWN from Macaulay and another hacker, Charlie Miller, who broke into a MacBook Air in two minutes to claim a $10,000 award.

The discovery of the Flash Player vulnerability by several researchers, Forslof argued, illustrates the value of bug-buying programs like ZDI. "If there are 10 people who find a bug, and just one feels that the financial compensation we offer is suitable and motivates them to report it, then it's a win," she said, "because that means it's reported to the vendor, is fixed and stops the other nine from using it."

Adobe patched the Flash Player bug used by Macaulay, reported by Vallejo and suspected by Maynor, on Tuesday. It urged Windows, Mac and Linux versions of the popular player and browser plug-in to update their software.

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon