Home Tech & Games

Google Chrome Pwned by VUPEN via Sophisticated 0-Day Exploit

DfgDfg Admin
edited June 2011 in Tech & Games
YouTube - VUPEN Pwned Google Chrome aka Sandbox/ASLR/DEP Bypass

http://www.vupen.com/demos/
Hi everyone,

We are (un)happy to announce that we have officially Pwned Google Chrome and its sandbox.

The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).

The video shows the exploit in action with a default installation of Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox (at Medium integrity level).

While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR and DEP.

For security reasons, the exploit code and technical details of the underlying vulnerabilities will not be publicly disclosed. They are exclusively shared with our Government customers as part of our vulnerability research services.

Update: The exploit works on both Chrome versions 11.x and 12.x. It was also tested with Chrome v11.0.696.68 and v12.0.742.30.


Fuck!
Share on Twitter

Comments

  • UnknownUnknown
    edited June 2011
    Damn! Well I guess that now Google can patch that up, but I really didn't see that coming. Oh well, I never use Chrome anyways.
    Share on Twitter
  • -SpectraL-SpectraL Will Faggert
    edited June 2011
    Just another buffer overrun device. There's millions of them, and lots more to come.

    "A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interest of efficiency on production runs. Unanimously, they urged us not to—they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980, language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law."

    ~ C. A. R.
    Share on Twitter
  • -SpectraL-SpectraL Will Faggert
    edited June 2011
    They used the cross-site scripting bounds-checking flaw in OpenGL.
    Share on Twitter
  • -SpectraL-SpectraL Will Faggert
    edited June 2011
    Auschwitz Nazi Disneyland wrote: »
    How do you know?

    Not doubting you, I'm just curious.
    If I told you that I would have to kill you. ;)

    No, but seriously... check keywords "POC" "cross site scripting" and "WebGL"

    http://html5example.net/tag/html5%20security/
    Share on Twitter
Sign In or Register to comment.