For the second time ever in a HITBSecConf we will be organizing an Open-Hack competition with a slight twist inspired by the Pwn-to-0wn contest run by the guys at CanSecWest.
The purpose of an Open Hack is to uncover new and previously unknown software vulnerabilities in operating systems and software. This year’s Open Hack will involve 4 fully patched Macbook Air’s with a default install of Leopard with all patches applied and the firewall set to default settings. Similar to the contest in CanSecWest, the machine will be accessible via wired cross-over ethernet connections. Be the first to hack in and you walk away with a brand new machine!
To claim a laptop as your own, you will need to read the contents of a designated file on the system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs). Each laptop will only have a direct wired connection (exposed through a crossover cable) and only one person may attack each system at a time so that each team’s exploit remains private. Slots will be available for sign up in 30 minute increments at the beginning of each day. Any WiFi or Bluetooth exploits will be verified offsite in a secure lab to prevent snooping. The first winner of each laptop gets to keep it (one laptop per vulnerability entry).
Day 1 - 29th October 2008 - Default client-side applications
Day 2 - 30th October 2008 - Popular 3rd party apps
All remote submissions exploits can be submitted to firstname.lastname@example.org - his PGP key ID is 0x885E28F9 - please send your public key before sending your encrypted mail. All submissions should reach us no later than 1700 MYT on the 30th of October 2008!
Once a laptop is won however, no more exploits may be submitted. All winning exploits will be handed over to the affected vendors at the conference through WabiSabiLabi with the appropriate credit given to the contestant. All contestants must agree to the responsible disclosure handling of their vulnerability/exploit.