Pwn2Own 2012: Google Chrome sandbox first to fall

[nsane.forums]

VANCOUVER — At last year’s CanSecWest Pwn2Own hacker contest, Google Chrome was the only browser left standing. This year, Chrome was the first to fall, thanks to an impressive exploit from a team of French hackers.

VUPEN, the controversial company that sells vulnerabilities and exploits to government customers, deliberately took aim at Chrome this year to send a simple message: no software is unbreakable if hackers have enough motivation to prepare and launch an attack.

VUPEN co-founder and head of research Chaouki Bekrar and his team used a pair of zero-day vulnerabilities to take complete control of a fully patched 64-bit Windows 7 (SP1) machine. As part of the new competition format, VUPEN will earn 32 points for the successful Chrome exploit.

In an interview, Bekrar said his team worked for about six weeks to find the vulnerabilities and write the exploits. ”We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox.”

Bekrar declined to say if any of the exploits targeted third-party code in the browser. ”It was a use-after-free vulnerability in the default installation of Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.”

Last year, VUPEN released a video to demonstrate a successful sandbox escape against Chrome but Google challenged the validity of that hack, claiming it exploited third-party code, believed to be the Adobe Flash plugin.

At Pwn2Own this year, Bekrar’s team came equipped for zero-day flaws for all four major browsers — Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox — but he said the decision to go after Chrome first was a deliberate tactic.

“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year,” he said.

During the hack, Bekrar created a web page booby-trapped with his exploit. Once the target machine visited the page, the exploit ran and opened the Calculator (calc.exe) app outside of the sandbox.”

“There was no user interaction, no extra clicks. Visit the site, popped the box.”

VUPEN will sell the rights to one of the zero-day vulnerabilities but the company says it won’t give up the sandbox escape. “We are keeping that private, keeping it for our customers.”

Even as he basked in the glory of defeating the highly touted Chrome sandbox, Bekrar was very complimentary of the work done by Google’s security team to add anti-exploit mechanisms into the browser.

“The Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox. I can say that Chrome is one of the most secure browsers available.”

“This just shows that any browser, or any software, can be hacked if there is enough motivation and skill,” he added.

View: Original Article

[tezza]

VANCOUVER — A Russian university student hacked into a fully patched Windows 7 machine (64-bit) using a remote code execution vulnerability/exploit in Google’s Chrome web browser.

The attack, which included a Chrome sandbox bypass, was the handiwork of Sergey Glazunov, a security researcher who regularly finds and reports Chrome security holes.

Glazunov scored a $60,000 payday for the exploit, which targeted two distinct zero-day vulnerabilities in the Chrome extension sub-system. The cash prize was part of Google’s new Pwnium hacker contest which is being run this year as an alternative to the more well-known Pwn2Own challenge.

According to Justin Schuh, a member of the Chrome security team, Glazunov’s exploit was specific to Chrome and bypassed the browser sandbox entirely. ”It didn’t break out of the sandbox [but] it avoided the sandbox,” Schuh said in an interview.

Schuh described the attack as “very impressive” and made it clear that the exploit “could have done anything” on the infected machine. ”He (Glazunov) executed code with full permission of the logged on user.”

“It was an impressive exploit. It required a deep understanding of how Chrome works,” Schuh added. ”This is not a trivial thing to do. It’s a very difficult and that’s why we’re paying $60,000.

Glazunov is a regular contributor to Google’s bug bounty program and Schuh raved about the quality of his research work.

Schuh said Glazunov once submitted a similar sandbox bypass bug but stressed that these kinds of full code execution that executes code outside the browser sandbox form a very small percentage of bug submissions.

Google’s Sundar Pichai says the company is “working fast on a fix” that will be pushed out via the browser’s automatic update utility.

http://www.zdnet.com/blog/security/cansecwest-pwnium-google-chrome-hacked-with-sandbox-bypass/10563

[kunjar]

Crazy Russians, i wonder what is in the water they drink? They seem to be able to hack apart any piece of software.