Detailed rules for the Hack2Own contest on PHDays 2012
Less and less time remains until Positive Hack Days 2012, in the midst of online contests in which invites are played out . However, at the forum site itself at the Digital October technocenter there will also be a lot of interesting things happening. One of the nails of the competition program will be the legendary Hack2Own competition.
In 2011, demonstrating the zero-day vulnerability (CVE-2011-0222) in the latest version of the Internet browser, Safari for Windows, the winners of the Hack2Own competition were Nikita Tarakanov and Alexander Bazhanyuk , representatives of CISSRT, who won the main prize - a laptop and 50 thousand rubles This year the competition budget has been significantly increased and will be more than $ 20,000. The winners will have something to fill the new cases :)
The competition is divided into three categories: exploitation of browser vulnerabilities, exploitation of mobile device vulnerabilities and exploitation of kernel-level vulnerabilities. Under the cut detailed rules for participation in the competition.
')
Attention! A laptop is required to enter the competition .
We just want to make the world safer. We strive to maintain a responsible approach to disclosing information about the found vulnerabilities. Therefore, the competition contains an important condition: the participant should notify the software manufacturer about it within 6 months of the discovery of the vulnerability.
In each round, the attack is carried out on one of these browsers; the organizers of the competition follow the link provided by the participant of the competition. It is allowed to use one attack vector per round. Having achieved success in the first round - the participant takes the first place, in the second or third round - the second and third, respectively. The success criterion is the participant controlled launch of the application in the operating system by conducting a remote client attack.
The organizers reserve the right to lower the rating of the participant depending on the type of vulnerability used and the conditions of its operation (the need for user intervention, restricting the development of the attack and other conditions affecting the degree of risk according to the CVSS methodology).
First round: Microsoft Internet Explorer 9, Google Chrome 19.0.1084, Mozilla Firefox 12.
Round two: Microsoft Internet Explorer 8/9, Mozilla Firefox 10/11/12, Google Chrome 16/17/18/19, Opera 11/12, Apple Safari 5.0 / 5.1.1 / 5.1.2.
In the third round, the use of the latest versions of typical third-party components for browsers is allowed: Adobe Flash Player (11.2.202.235), Adobe Reader (10.1.3), Java (7 update 4). The list of browsers is identical to that in the second round.
First round - Windows 7 Service Pack 1 (x64). The second and third rounds: Windows 7 Service Pack 1 (x64 / x86) and Windows XP SP3 (x86).
Specialists who are pre-registered are allowed to enter the competition. Applications are accepted at phdcontests@ptsecurity.ru . Registration deadline is May 28, 2012. In the application, you must specify the name of the participant, the name of the browser selected as the target of the attack, the attack vector used. The organizers of the competition reserve the right to reject the application if the participant does not confirm his competence in matters that are the subject of the competition.
I place - 137 000 rubles.
II place - 75 137 rubles.
III place - 50,137 rubles.
In case several competitors claim a certain place, the winner is revealed through expert assessment of the exploit’s technical characteristics (operational difficulty, stability, etc.).
Attending all the events of the Positive Hack Days Forum is free for the participants.
The final decision on the software versions that will be used to hold the competition is made at least two weeks before the event. Relevant information is published on the PHD website at www.phdays.ru . After each attempt to exploit a vulnerability, the operating system is restored to its original state. All the software necessary for the attack, the participant chooses and uses independently. Each participant is provided with a connection to a wired or wireless network.
The attack on one device is carried out in one round using one attack vector; the organizers of the competition follow the link provided by the participant of the competition. Having achieved success in the first round - the participant takes the first place, in the second or third round - the second and third, respectively. After each attempt to exploit the vulnerability, the operating system is restored to its original state. The success criterion is the participant controlled launch of the application on the device by conducting a remote network attack.
The organizers reserve the right to lower the rating of the participant depending on the type of vulnerability used and the conditions of its operation (the need for user intervention, restricting the development of the attack and other conditions affecting the degree of risk according to the CVSS methodology).
Pre-registered participants are allowed. Applications are accepted at phdcontests@ptsecurity.ru . Registration deadline is May 28, 2012. In the application, you must specify the name of the participant, the operating system selected as the target of the attack, the type of device (tablet or smartphone) and the planned attack vector. The organizers of the competition reserve the right to reject the application if the participant does not confirm his competence in matters that are the subject of the competition.
I place - 137 000 rubles.
II place - 75 137 rubles. + iPhone 4S
III place - 50,137 rubles.
If several participants compete for a certain place, the winner is revealed through expert assessment of the exploit's technical characteristics (operational difficulty, stability, etc.).
Attending all the events of the Positive Hack Days Forum is free for the participants. In addition, all participants will receive valuable prizes and gifts from the organizers of the forum, the company Positive Technologies, and sponsors of the event.
First round: tablet or smartphone with iOS 5.1.1 or Android 4.0.4.
Second round: tablet or smartphone with iOS 5.1.1 or Android 4.0.4 + popular third-party software (discussed with the organizers when registering for the competition).
The third round: a tablet or smartphone with iOS 5.0, a tablet with Android 3.0, a smartphone with Android 2.3.
The final decision on the software versions that will be used to hold the competition is made at least two weeks before the event (information about this is published on the PHDays forum website ). To participate in the contest, devices are used in the standard configuration “out of the box” - with the exception of the settings necessary for organizing a network connection. After each attempt to exploit the vulnerability, the device reboots and returns to the initial state.
A typical attack vector is a visit to a specially crafted website via a standard device browser. In the case of using other attack vectors (receiving SMS or MMS, viewing e-mail, etc.), the participant indicates this in the application upon registration.
All the software and hardware necessary for the attack, the participant chooses and uses independently. Each participant is provided with a connection to a wired or wireless network.
Each participant has the opportunity to demonstrate the exploitation of the operating system kernel level vulnerability. The exploit proposed by the applicant should give an unprivileged user the opportunity to elevate their privileges in the system to the superuser level.
In each round, the attack is carried out on one of these platforms; The organizers of the competition run the executable file provided by the participant of the competition. It is allowed to use one attack vector per round. Having achieved success in the first round - the participant takes the first place, in the second or third round - the second and third, respectively. The success criterion is that the participant changes the privilege level from an unprivileged user to the maximum possible in the system. The organizers reserve the right to lower the rating of the participant depending on the type of vulnerability used and the conditions of its operation (the need for user intervention, restricting the development of attacks and other conditions that affect the degree of risk according to the CVSS methodology).
Round One:
Second round:
The third round: a set of platforms is identical to that for the first round. You can use the popular security software (antivirus, HIPS, etc.) from a third-party vendor (discussed with the organizers when registering for the competition).
Specialists who are pre-registered are allowed to enter the competition. Applications are accepted at phdcontests@ptsecurity.ru . Registration deadline is May 28, 2012. In the application, you must specify the name of the participant and the platform selected as the target of the attack. The contest organizers reserve the right to reject the application if the participant does not confirm his competence.
I place - 75 000 rubles.
II place - 50 000 rubles.
III place - 30 000 rubles.
In case several competitors claim a certain place, the winner is revealed through expert assessment of the exploit’s technical characteristics (operational difficulty, stability, etc.).
Attending all the events of the Positive Hack Days Forum is free for the participants.
The final decision on the software versions that will be used to hold the competition is made at least two weeks before the event (information is published on the PHDays forum website ). After each attempt to exploit the vulnerability, the operating system is restored to its initial state. All the software necessary for the attack, the participant chooses and uses independently.
To responsibly approach the disclosure of information, you can:
In 2011, demonstrating the zero-day vulnerability (CVE-2011-0222) in the latest version of the Internet browser, Safari for Windows, the winners of the Hack2Own competition were Nikita Tarakanov and Alexander Bazhanyuk , representatives of CISSRT, who won the main prize - a laptop and 50 thousand rubles This year the competition budget has been significantly increased and will be more than $ 20,000. The winners will have something to fill the new cases :)
The competition is divided into three categories: exploitation of browser vulnerabilities, exploitation of mobile device vulnerabilities and exploitation of kernel-level vulnerabilities. Under the cut detailed rules for participation in the competition.
')
Attention! A laptop is required to enter the competition .
Why do we need it?
We just want to make the world safer. We strive to maintain a responsible approach to disclosing information about the found vulnerabilities. Therefore, the competition contains an important condition: the participant should notify the software manufacturer about it within 6 months of the discovery of the vulnerability.
Hacking web browsers: competition rules
In each round, the attack is carried out on one of these browsers; the organizers of the competition follow the link provided by the participant of the competition. It is allowed to use one attack vector per round. Having achieved success in the first round - the participant takes the first place, in the second or third round - the second and third, respectively. The success criterion is the participant controlled launch of the application in the operating system by conducting a remote client attack.The organizers reserve the right to lower the rating of the participant depending on the type of vulnerability used and the conditions of its operation (the need for user intervention, restricting the development of the attack and other conditions affecting the degree of risk according to the CVSS methodology).
Software offered for operation
First round: Microsoft Internet Explorer 9, Google Chrome 19.0.1084, Mozilla Firefox 12.
Round two: Microsoft Internet Explorer 8/9, Mozilla Firefox 10/11/12, Google Chrome 16/17/18/19, Opera 11/12, Apple Safari 5.0 / 5.1.1 / 5.1.2.
In the third round, the use of the latest versions of typical third-party components for browsers is allowed: Adobe Flash Player (11.2.202.235), Adobe Reader (10.1.3), Java (7 update 4). The list of browsers is identical to that in the second round.
Used platforms
First round - Windows 7 Service Pack 1 (x64). The second and third rounds: Windows 7 Service Pack 1 (x64 / x86) and Windows XP SP3 (x86).
The terms of participation
Specialists who are pre-registered are allowed to enter the competition. Applications are accepted at phdcontests@ptsecurity.ru . Registration deadline is May 28, 2012. In the application, you must specify the name of the participant, the name of the browser selected as the target of the attack, the attack vector used. The organizers of the competition reserve the right to reject the application if the participant does not confirm his competence in matters that are the subject of the competition.
Prizes
I place - 137 000 rubles.
II place - 75 137 rubles.
III place - 50,137 rubles.
In case several competitors claim a certain place, the winner is revealed through expert assessment of the exploit’s technical characteristics (operational difficulty, stability, etc.).
Attending all the events of the Positive Hack Days Forum is free for the participants.
Technical details
The final decision on the software versions that will be used to hold the competition is made at least two weeks before the event. Relevant information is published on the PHD website at www.phdays.ru . After each attempt to exploit a vulnerability, the operating system is restored to its original state. All the software necessary for the attack, the participant chooses and uses independently. Each participant is provided with a connection to a wired or wireless network.
Hacking Mobile: Rules
The attack on one device is carried out in one round using one attack vector; the organizers of the competition follow the link provided by the participant of the competition. Having achieved success in the first round - the participant takes the first place, in the second or third round - the second and third, respectively. After each attempt to exploit the vulnerability, the operating system is restored to its original state. The success criterion is the participant controlled launch of the application on the device by conducting a remote network attack.The organizers reserve the right to lower the rating of the participant depending on the type of vulnerability used and the conditions of its operation (the need for user intervention, restricting the development of the attack and other conditions affecting the degree of risk according to the CVSS methodology).
The terms of participation
Pre-registered participants are allowed. Applications are accepted at phdcontests@ptsecurity.ru . Registration deadline is May 28, 2012. In the application, you must specify the name of the participant, the operating system selected as the target of the attack, the type of device (tablet or smartphone) and the planned attack vector. The organizers of the competition reserve the right to reject the application if the participant does not confirm his competence in matters that are the subject of the competition.
Prizes
I place - 137 000 rubles.
II place - 75 137 rubles. + iPhone 4S
III place - 50,137 rubles.
If several participants compete for a certain place, the winner is revealed through expert assessment of the exploit's technical characteristics (operational difficulty, stability, etc.).
Attending all the events of the Positive Hack Days Forum is free for the participants. In addition, all participants will receive valuable prizes and gifts from the organizers of the forum, the company Positive Technologies, and sponsors of the event.
Used platforms
First round: tablet or smartphone with iOS 5.1.1 or Android 4.0.4.
Second round: tablet or smartphone with iOS 5.1.1 or Android 4.0.4 + popular third-party software (discussed with the organizers when registering for the competition).
The third round: a tablet or smartphone with iOS 5.0, a tablet with Android 3.0, a smartphone with Android 2.3.
Technical details
The final decision on the software versions that will be used to hold the competition is made at least two weeks before the event (information about this is published on the PHDays forum website ). To participate in the contest, devices are used in the standard configuration “out of the box” - with the exception of the settings necessary for organizing a network connection. After each attempt to exploit the vulnerability, the device reboots and returns to the initial state.
A typical attack vector is a visit to a specially crafted website via a standard device browser. In the case of using other attack vectors (receiving SMS or MMS, viewing e-mail, etc.), the participant indicates this in the application upon registration.
All the software and hardware necessary for the attack, the participant chooses and uses independently. Each participant is provided with a connection to a wired or wireless network.
Exploiting Kernel Vulnerabilities: Contest Rules
Each participant has the opportunity to demonstrate the exploitation of the operating system kernel level vulnerability. The exploit proposed by the applicant should give an unprivileged user the opportunity to elevate their privileges in the system to the superuser level.
In each round, the attack is carried out on one of these platforms; The organizers of the competition run the executable file provided by the participant of the competition. It is allowed to use one attack vector per round. Having achieved success in the first round - the participant takes the first place, in the second or third round - the second and third, respectively. The success criterion is that the participant changes the privilege level from an unprivileged user to the maximum possible in the system. The organizers reserve the right to lower the rating of the participant depending on the type of vulnerability used and the conditions of its operation (the need for user intervention, restricting the development of attacks and other conditions that affect the degree of risk according to the CVSS methodology).
Used platforms
Round One:
- Windows 7 Service Pack 1 (x64);
- Windows Server 2008 SP2 (x64);
- Debian Linux 3.3.5;
- FreeBSD 9.0;
- OpenBSD 5.1;
- OS X 10.7.4.
Second round:
- Windows 7 Service Pack 1 (x86);
- Windows Server 2003 SP2;
- Windows XP SP3 (x86);
- Debian Linux 2.6.32-45;
- FreeBSD 8.0;
- OpenBSD 5.0;
- OS X 10.7.1.
The third round: a set of platforms is identical to that for the first round. You can use the popular security software (antivirus, HIPS, etc.) from a third-party vendor (discussed with the organizers when registering for the competition).
The terms of participation
Specialists who are pre-registered are allowed to enter the competition. Applications are accepted at phdcontests@ptsecurity.ru . Registration deadline is May 28, 2012. In the application, you must specify the name of the participant and the platform selected as the target of the attack. The contest organizers reserve the right to reject the application if the participant does not confirm his competence.
Prizes
I place - 75 000 rubles.
II place - 50 000 rubles.
III place - 30 000 rubles.
In case several competitors claim a certain place, the winner is revealed through expert assessment of the exploit’s technical characteristics (operational difficulty, stability, etc.).
Attending all the events of the Positive Hack Days Forum is free for the participants.
Technical details
The final decision on the software versions that will be used to hold the competition is made at least two weeks before the event (information is published on the PHDays forum website ). After each attempt to exploit the vulnerability, the operating system is restored to its initial state. All the software necessary for the attack, the participant chooses and uses independently.
To responsibly approach the disclosure of information, you can:
- contact the software developer and provide him directly with a detailed description of the vulnerabilities found;
- pass vulnerability information to CERT ;
- pass vulnerability information through UpSploit ;
- pass a description of vulnerabilities by participating in one of the official reward programs for found vulnerabilities, for example, in the Zero Day Initiative .
Source: https://habr.com/ru/post/144079/
All Articles