POSITIVE HACK DAYS



ORGANIZER

The detailed rules of HACK2OWN

Hacking Web Browsers. Rules

In every round, attacks should be conducted against one of the specified browsers; the organizers of the competition follow the link provided by a participant of the competition. Only one attack vector can be used in a round. In case of success in the first round, a participant takes the first prize, in case of success in the second round – the second prize, in the third – the third prize. A participant will succeed if after conducting a remote attack against a client he or she will be able to launch an application on client’s operating system. The organizers reserve the right to lower a participant’s rating depending on the type of vulnerability used and its exploitation conditions (necessity of interaction with a user, attack development limitations and other conditions affecting CVSS severity).

Software for Exploitation

First round: Microsoft Internet Explorer 9, Google Chrome 19.0.1084, Mozilla Firefox 12, Opera 11.64.
Second round: Microsoft Internet Explorer 8/9, Mozilla Firefox 10/11/12, Google Chrome 16/17/18/19, Opera 11.64/11.60, Apple Safari 5.0/5.1.1/5.1.2.
It is permitted to exploit the latest versions of typical third-party browser components in the third round: Adobe Flash Player (11.2.202.235), Adobe Reader (10.1.3), Java (7 update 4). The list of browsers for the third round is identical to the list for the second round.

Platforms Used

First round: Windows 7 Service Pack 1 (x64). Second and third rounds: Windows 7 Service Pack 1 (x64/x86) and Windows XP SP3 (x86).

Participation Terms

All the preregistered specialists can participate in the competition. Please send your applications to phdcontests@ptsecurity.com. The last day of the registration is May 28, 2012. Specify the participant’s name, target browser, and an attack vector. The organizers of the competition reserve the right to refuse a candidate in case he or she fails to prove his or her competence to handle the issues the competition is based on.

Prizes

1st place – 137,000 Russian rubles

2nd place – 75,137 Russian rubles

3rd place – 50,137 Russian rubles

If several participants of the competition claim the same place, the winner will be decided by expert evaluation of the exploit technical characteristics (exploitation complexity, stability, etc.).

Participants of the competition can visit all events of Positive Hack Days for free.

Technical Details

Versions of systems and applications used in the competition are finally settled not less than two weeks before the beginning of the forum. The relevant information will be published on the PHDays 2012 web site (http://www.phdays.com). After every exploitation attempt the operating system will be restored to its original state. The competitors should bring their own software needed for conducting the attack. Wireless or wired network connection will be provided.

Hacking Mobile Devices. Rules

Only one device can be attacked in a round using one attack vector; the organizers of the competition follow the link provided by a participant of the competition. In case of success in the first round, a participant takes the first prize, in case of success in the second or the third round – the second or the third prize respectively. After every exploitation attempt the operating system will be restored to its original state. A participant will succeed if after conducting a remote attack against a device he or she will be able to launch an application on the device. The organizers reserve the right to lower a participant’s rating depending on the type of vulnerability used and exploitation conditions (necessity of interaction with a user, attack development limitations and other conditions affecting CVSS severity).

Participation Terms

All the preregistered specialists can participate in the competition. Please send your applications to phdcontests@ptsecurity.com . The last day of the registration is May 28, 2012. Specify the participant’s name, the target operating system, device’s type (tablet or smartphone) and an attack vector. The organizers of the competition reserve the right to refuse a candidate in case he or she fails to prove his or her competence to handle the issues the competition is based on.

Prizes

1st place – 137,000 Russian rubles

2nd place – 75,137 Russian rubles + iPhone 4s

3rd place – 50,137 Russian rubles

If several participants of the competition claim the same place, the winner will be decided by expert evaluation of the exploit technical characteristics (exploitation complexity, stability, etc.).

Participants of the competition can visit all events of Positive Hack Days for free. Positive Technologies (the PHDays organizer) and the sponsors of the forum provide prizes and gifts for all participants of the competition.

Platforms Used

First round: iOS 5.1.1 (tablet/smartphone) or Android 4.0.4 (tablet/smartphone)

Second round: iOS 5.1.1 (tablet/smartphone) or Android 4.0.4 (tablet/smartphone) + well-known software of a third-party manufacturer (to be discussed with the organizers at the registration stage)

Third round: iOS 5.0 (tablet/smartphone) or Android 3.0 (tablet), Android 2.3 (smartphone)

Technical Details

Versions of the software used in the competition are finally settled not less than two weeks before the beginning of the forum. The relevant information will be published on the PHDays 2012 web site (http://www.phdays.com). Devices with the default out-of-the-box configuration are used in the competition, except for configurations necessary to organize a network connection. After every vulnerability exploitation attempt the device will be rebooted and restored to its original state.

A standard attack vector implies a visit to a specially crafted site via a default browser of a device. If other attack vectors are used (receiving of SMS/MMS, viewing e-mail messages, etc.), a participant should specify this information in the application for the competition.

The competitors should bring their own software and hardware needed for conducting attacks. Wireless or wired network connection will be provided.

Exploiting Kernel Vulnerabilities. Rules

Every participant will be able to demonstrate exploitation of OS kernel vulnerabilities. An exploit offered by a candidate should give an unprivileged user a possibility to increase his or her system privileges up to superuser level.

In every round, attacks should be conducted against one of the specified platforms; the organizers of the competition launch an executable file provided by a participant. Only one attack vector can be used in a round. In case of success in the first round, a participant takes the first prize, in case of success in the second or the third round – the second or the third prize respectively. A participant will succeed if he or she increases privileges from the level of an unprivileged user to the maximum privilege level of the system. The organizers reserve the right to lower a participant’s rating depending on the type of a vulnerability used and exploitation conditions (necessity of interaction with a user, attack development limitations and other conditions affecting CVSS severity).

Platforms Used:

First round:

Windows 7 Service Pack 1 (x64)

Windows Server 2008 SP2 (x64)

Debian Linux 3.3.5

FreeBSD 9.0

OpenBSD 5.1

OS X 10.7.4

Second round:

Windows 7 Service Pack 1 (x86)

Windows Server 2003 SP2

Windows XP SP3 (x86)

Debian Linux 2.6.32-45

FreeBSD 8.0

OpenBSD 5.0

OS X 10.7.1

Third round: the platforms are identical to those of the first round. It is possible to use well-known security software (antiviruses, HIPS, etc.) of a third-party vendor (to be discussed with the organizers at the registration stage)

Participation Terms

All the preregistered specialists can participate in the competition. Please send your applications to phdcontests@ptsecurity.com. The last day of the registration is May 28, 2012. Specify the participant’s name, and the target platform. The organizers of the competition reserve the right to refuse a candidate in case he or she fails to prove his or her competence to handle the issues the competition is based on.

Prizes

1st place – 75, 000 Russian rubles

2nd place – 50,000 Russian rubles

3rd place – 30,000 Russian rubles

If several participants of the competition claim the same place the winner will be decided by expert evaluation of the exploit technical characteristics (exploitation complexity, stability, etc.).

Participants of the competition can visit all events of Positive Hack Days for free.

Technical Details

Versions used in the competition are finally settled not less than two weeks before the beginning of the forum. The relevant information will be published on the PHDays 2012 web site (http://www.phdays.com). After every vulnerability exploitation attempt the operating system will be restored to its original state. The competitors should bring their own software needed for conducting attacks.

Vulnerabilities Disclosure

Disclosure of information on the detected vulnerabilities is treated in a responsible manner by the organizers of the competition. That is why the competition has an important condition — a participant who detected a vulnerability should inform the software vendor within 6 months from the moment of its detection. The information on the detected vulnerabilities should be disclosed using one of the following ways:

  • providing a software vendor with detailed description of detected vulnerabilities;
  • communicating information on the vulnerabilities to CERT;
  • communicating information on the vulnerabilities via UpSploit;
  • communicating information on the vulnerabilities by means of participation in other official programs of remuneration for detected vulnerabilities such as Zero Day Initiative.