Slashdot Mirror
New Chrome Exploit Bypasses Sandbox, ASLR and DEP
Trailrunner7 writes "Researchers at the French security firm VUPEN say they have discovered several new vulnerabilities in Google Chrome that enable them to bypass the browser's sandbox, as well as ASLR and DEP, and run arbitrary code on a vulnerable machine. The company said they are not going to disclose the details of the bugs right now, but they have shared information with some of their government customers. The vulnerabilities are present in the latest version of Chrome running on Windows 7, VUPEN said."
"This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services."
Oh, I feel SO MUCH better now!
Funny. I don't read anything about them disclosing it to Google (even tough they offer a bug bounty) So I'll just have to guess NSA and all the other good guys are protecting us (yeah right) until someone at Google stumbles across this issue.
I am so glad I run [insert smug zealous OS plug here] and not Windows!
So long as you don't forget to properly affix your tinfoil hat, I'd say you're good to go!
You're a belt and suspenders kind of guy, aren't you?
This "VUPEN security" company, how are they any different from HBGary? They sold 0days to governments too...
I just want the damn hole closed.
embedded video of goatse website on grimy monitor in 3...2...
As the world leader in vulnerability research, VUPEN provides offensive and highly sophisticated exploits specifically designed for Law Enforcement and Intelligence Agencies to help them achieve their offensive missions using tailored and unique codes created in-house by VUPEN.
God I hate those french researchers, liberty fraternity equality OR DEATH my ass
Jehovah be praised, Oracle was not selected
Just throwing this out there:
These problems won't affect 95% of users. Running these sorts of attacks on end users is a bit of a waste, and something this complicated would be saved for more important targets.
A vast majority of infections out there are things that you're already guarded against if you keep your system updated.
I can crack that easily, and get at your data. You forgot rubber hose hacking...
Hyperbole: I use it liberally!
You know, when I was demoing Chrome as a possible browser for my tablet, I went looking for a script blocking extension. To my consternation, I was met with the near worthless alternative of either running all scripts or none on a page, either through an extension designed like a high school side-project or using the built in white-listing feature. This is apparently because the API does not allow for functionality along the lines of blocking individual scripts from executing.
The forums and comments sections addressing user questions as to an alternative usually had self serving replies like "Chrome is so awesome that it doesn't need script blocking." and "It can't be owned due to sand-boxing. You know what sand-boxing is right?" (Because the only reason a person would ask is if they where an ignorant fool, right?)
So, *cough* tell me why Chrome doesn't need a NoScript-like extension again? @the marketing drones: Because, I'm so sure the cocksure poseur-charisma will scare the crime-ware away, really. The elephant in the room doesn't exist so long as the people that bring it up are shouted down, right?
Any sufficiently advanced influence is indistinguishable from control.
True, but security researchers are not fighting the scattered guy in the basement who manages to find a hole.
There are criminal organizations which are big enough to fund people in researching holes, as well as buying 0-days from the black market. Then using these either for a focused attack against a company, or cast it on the wind to gather up clients for a botnet. All is needed is a 0-day hole in a browser or browser add-on coupled with an exploit to get Administrator rights, paste this on the Web using ad rotation services, and it can easily bring in large numbers of compromised machines.
This is the reason you don't want your browser able to access native OS code; when there's an exploit, the keys to the kingdom are in the browser.
http://www.theregister.co.uk/2010/12/08/google_on_native_client/
boycott slashdot February 10th - 17th check out: altSlashdot.org
The answer was in the few words before the ones you highlighted:
Okay, I've watched the Video twice, and read both linked articles (yeah I did) and it said that it was ..
Well I did see the Calculator applet get started, and I do see that it is a Microsoft Version. I did not see it get "downloaded", which is acceptable if it was a background download. But I don't know if it did, or if it simply called the local version already installed as part of the OS.
Just saying the whole thing is very skimpy and light on details and specifics.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
They run IE6.
Last I checked Sandboxie was an IO-layer sandbox; a kernel or os/service exploit would skip right over your sandbox without even noticing its presence.
The stupidity of your post isn't the worst part. It's the fact that, as of this writing, you're modded Insightful.
Chrome's sandbox is Windows' sandbox, so that's perfectly possible.
Dilbert RSS feed
1. Watching the video, I see nothing that couldn't be achieved with ExtJS.
2. Chrome often has multiple processes listed in task manager. In their video, they conveniently cover all those process names with another window so you can't see them.
3. Suspicious overuse of "pwn". No company worth respecting would use "pwn" in a press release.
To me the most troubling part of this issue is what VUPEN does ... from their web site -- "Exclusive and sophisticated exploits for Law Enforcement Agencies". So, the reason the exploit is not being made public is so that Government agencies can use these exploits to install keyloggers or whatever they choose on whatever computer they which to target and monitor.
I have the virus scanner on my BSD box so I can scan suspicious files before accessing them from my Windows boxes (the BSD box is my general-purpose "server", including running Samba). And to be fair, it's been months since I found a file suspicious enough to deserve the full treatment.
I always chuckle when I hear of people disabling JavaScript in this day and age. Reminds me of a guy from an old job who used to disable images in his broswer, saying they were unnecessary bloat that weren't important and shouldn't be a part of the web.
"The problem with being better than everyone is that people tend to think you're pretentious."
insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
Me, running a BSD licensed OS?
I run GNU Hurd, you insensitive clod.
- rms
Yes, but bear in mind that Microsoft classifies UAC as only being a security "feature" despite the fact that it's actually a user-imposed security boundary.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
Thing is, I wouldn't /like/ to have to disable JS, or run NoScript, but thanks to poor implementations of ad code, disabling it can /seriously/ speed up loading on a high(ish) latency connection.
And that's on top of all the potential attack vectors.
Speaking of which, /. runs /much/ faster on my phone when you disable JS - None of this slow ajax and hugely-long page to re-render when you add a comment.
Good luck, I'm behind 7 Sandboxies.
PocketPermissions Android Permission Guide
I'm glad you put "possible" in italics to emphasise that this didn't necessarily mean it was the cause of the issue. Chrome implementing the sandbox, while overriding memory protection, kind of negates the purpose of the sandbox. (Although, it prevents "natively" bad stuff from affecting the system. However anything attacking the browser itself can still access system memory).
To be fair though, the demonstration of this vulnerability has exposed nothing other than the ability to load known programs in known locations, without any additional parameters. They may be able to, but that hasn't been demonstrated, and won't be if they aren't releasing any "details".
"The true measure of a person is how they act when they know they won't get caught." - DSRilk
Never say never. I recall reading some malware can detect the presence of vmware and/or sandboxie and get around it. Sandboxie helps, but it of limited protection on 64 bit systems.
Actually, I really disabled it because it's running on an Athlon 900 with 384MB of RAM. The security advantage is a side-benefit.
A quick search turns out VUNET co-founder BEKRAR Chaouki was the winner of pwn2own 2011 : http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358
Not to say it proves he did it again with chrome, but at least; the guy's got some credits for being able to pull this one.
7 sand *BOXXYS* ...fixed
In post Patriot Act America, the library books scan you.
Does this mean government contractors will get access to the exploit code?
I guess this will help them wiretap.
You are confusing a Sandbox written by google for Windows with a Windows Sandbox written by Microsoft. Google WROTE the windows sandbox that chrome uses.
If you look closely, the first time the video shows process explorer, the PID of the parent chrome process is 1388 with integrity at "Medium", and a child chrome process's PID is 1928 with integrity set at "Low". After the hack, process explorer shows a child chrome process with PID 804 and integrity "Medium", all other processes except for the calculator are obscured. I can guess-timate that the original parent and child are still there though, as there is still a low integrity process somewhat near the bottom of the list.
After looking at the documentation for process explorer, the gray colored process line (most likely the parent chrome process) is suspended, which seems odd. I'm not entirely sure I'm seeing the correct part of the process explorer docs here.
Another thing to note is that the calc.exe process has no parent. That means that whatever spawned it has already died.
The video suggests that a fairly standard ASLR attack was made: guess and check. ASLR makes it difficult to reliably guess an address the first time. Most of the time, if a hack guesses wrong, the process dies and the attacker doesn't get another chance. It seems that the attacker found a place (or made a place) where they could "guess" repeatedly. Given the prior information, that suggests that the child process somehow caused the parent process to repeatedly spawn chrome subprocesses that had some attacker controlled information in it. Each time, that information is probably a little bit different until the attacker guessed "right", and successfully executed the right attack code.
Since they aren’t informing the Vendor so it can get patched,
Are they going to take responsibility when it does get into the wild?
Oh, we‘re big security company, we’re secure!
Yeah right!
Show me a boat that doesn’t leak!
it's running on an Athlon 900
Why?
It's not old enough to be Retro, yet not fast enough to run a GUI is 2011.
"I don't know, therefore Aliens" Wafflebox1
But.. "At its core, the sandbox relies on the protection provided by four Windows mechanisms: A restricted token The Windows job object The Windows desktop object Windows Vista only: The integrity levels" Because the exploit hasn't been release it's unclear weather the bug was in those systems, or the broker code of Chromium, or possibly even a one or more in both.
Because that was what was in my spare box. Seriously, the machine's cobbled together from salvage - a CPU/mobo from one machine, a video card from another (GeForce 2, not that it actually accelerates anything), RAM from two different sources, hard drives from three, and miscellaneous CD drives and floppy drives, just because. And the software is equally... Frankensteinian. Samba, Apache, MySQL, a full X desktop (it's my backup backup ordinary-use computer), FTPD, a couple other things I've forgotten, and DosBox.
On the bright side, I'm comfortable experimenting with it. If I break it, I know how to do a full reinstall, and with three hard drives (not in any sort of RAID), I can keep a backup "image" ready. If the hardware breaks, I can just grab slightly older stuff from the Big Bin of Parts. It's practically disposable.
Add a drawstring as well and you're 100% on target...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
That video shows exactly nothing - any 2 screen system can do Windows-R + "calc" offscreen and lob it into the picture, whilst it's looking at a web page. You can also not see if it really is a sub-process, that part is obscured. As far as I can judge by the indentation it is NOT a sub process - thus no hack. But I'm no expert - unlike them I won't pretend to be one either. In summary, this *seriously* lacks credibility.
It's IMHO a rather stupid attempt at getting their name out the and lick up to French Government. As Government I would not use them now because they have gone public with something that could have been useful (if it exists), and as a company I would avoid them like the plague because I would not know who they would sell my vulnerabilities to (instead of me).
Oh, and as for Google? You know, wouldn't it be funny if their website never showed up in any Google search... After all, can't let them do any evil now, can we?
Insert
Really if you are running a virus scanner on any *nix machine, you're either doing it on behalf of Windows systems (i.e. on a *nix mailserver that has Windows clients) or you're doing something wrong.
I'm not so sure about that. There seems to be a persistent idea that *nix is somehow secure, but that is not actually true. There have been vulnerabilities and exploits for *nix, and I have seen a number of compromised Linux installations. OpenBSD seems to be one of the few operating system projects taking security as seriously as I think they should, but even they have had vulnerabilities in the core system, not to mention vulnerabilities in the applications people run on it. And let's not forget that most of it is written in C, a language known to be full of opportunities for creating vulnerabilities.
Now, I am not claiming that running a virus scanner would be a good idea. It will use up computer resources, but will it actually stop the attacks? However, I think we in the *nix world should work a lot harder to secure our systems than most of us currently do. To give you something to think about: Windows has had ASLR and NX enabled for core parts of the system for a few releases now. Many popular Linux distros don't enable either feature for any software. Also, Linux (the kernel) is huge. What protections does your favorite distro offer against bugs and exploits in code that runs in kernel space?
Oh and if you were really so paranoid you'd be using Chromium, not Chrome.
Calling computer security-minded people paranoid would be funny if it weren't so sad. The truth is that the Internet is full of automatic exploits and there is a large industry built on exploiting software (of which the exploit this story is about is an example). Too many people think they have nothing to fear, while, in reality, governments, script kiddies, and professional criminals are all out to get you. Maybe not you personally, but they will welcome the addition of your computer to their botnet or database, regardless of who you are. Good computer security isn't paranoia, it's protection against the very real possibility that your computer will be used to send spam, participate in denial of service attacks, various criminal activities, or simply to gather information about you and your friends, relatives, and acquaintances.
If you don't see computer security as a big deal, perhaps it would help to imagine what your inbox would look like if there was no spam filtering (spam comprises the majority of all email, and the bulk of email spam is sent from exploited computers), or you can speak to any of the people whose personal data have been used to take out loans or commit criminal activities in their name. I hope that you will never experience anything like that first-hand, but you should know that, if you aren't vigilant about computer security, you may unknowingly be facilitating these things.
Please correct me if I got my facts wrong.
Not if people have it shut off.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
And after reading the above, I conclude that the Windows security model is ...sh1t.
First of all, it's extremely complex. It takes a long web page just to describe some aspects of it.
Secondly, it's extremely disjoint: each little piece of Windows, having been developed in isolation, was its own ways, which results in not being able to enforce a single security system all over the system.
WHAT! Haven't you heard that Apple is Evil and Steve Jobs wants to track and eat your shiny baby and market it to look cool to the other fanbois? What that means is that this is not really a problem with Chrome because it's OPEN and it's really the problem of your iPhone because it's tracking the cell towers you go near and you should instead buy Android so Google can keep you safe by tracking EVERYTHING!!
AHHHHHHHHHH, THE SKY IS FALLING!
To be done right a sandbox must either be implimented with hardware (max priveledge required) or be an interpreter that mimics (virtual) that setup. The best place for a sandbox is in the OS itself- something windows doesn't do. Without that you are a single buffer overflow or improperly passed pointer away from a compromised system.
I use Noscript on websites until I've determined I need the scripts. Its easy enough to enable them once I'm there, and much much faster to load complex websites without it.
- Michael T. Babcock (Yes, I blog)