Slashdot Mirror
Pinkie Pie Earns $60K At Pwn2Own With Three Chromium 0-Day Exploits
Tackhead writes "Hot on the hooves of Sergey Glazunov's hack 5-minutes into Pwn2Own, an image of an axe-wielding pink pony was the mark of success for a hacker with the handle of Pinkie Pie. Pinkie Pie subtly tweaked Chromium's sandbox design by chaining together three zero-day vulnerabilities, thereby widening his appeal to $60K in prize money, another shot at a job opportunity at the Googleplex, and instantly making Google's $1M Pwnium contest about 20% cooler. (Let the record show that Slashdot was six years ahead of this particular curve, and that April Fool's Day is less than a month away.)"
A PARTY!!! (sorry bronies, couldn't resist)
your nick should be NotQuiteAwake
It's interesting that the article implies the flaw is in WebKit rather than, say, JavaScript or Flash. So there'll need to be a similar patch made for Safari (which the article also briefly touches on).
#DeleteChrome
Cupcakes for ALL!
OMG!!! Ponies!!!
This space unintentionally left blank.
Be Creative!
Why don't you have a banner that says "Optimized for IE 6! Enjoy the new support the best browser available. . Link a whole bunch of articles including the one at arstechnica that showed IE 6 usage jumped last month.
Go dig up some CSS from Slashdot 2002 era from slashcode. Let us officeworkers use it for a day or need to click "compatibility mode" for IE 8 and 9. You have the code?
Maybe put the blue colors of XP mode in its colors.
http://saveie6.com/
OMG Pwnmemes?
Mod me down, my New Earth Global Warmingist friends!
http://img.photobucket.com/albums/v674/MarianLH/Ponies/HatersGonnaHate05.jpg
The best thing about Pwn2Own is that it can be a shot of reality for anyone who gets overly confident in how awesome their favorite OS or browser is. Im a huge fan of Chrome and was hoping it would stand up without any 0-days, but its great that Pwn2Own brought to light the reality that there is no "secure web browsing experience" outside of Lynx (and Im willing to bet that could be 0-day'd too).
DAMNIT!
SHE BROKE THE WALL AGAIN!
*yeah that really makes no senze but I've had two fingers of single malt so stay with me on this one*
My -1 Troll is actually a +1 funny. And my -1 flame is actually a +1 insightfull.
The code isn't in a sandbox if it can escape.
A lot of (desktop) hardware supports virtualization at the hardware level -- This doesn't mean executing a different set of opcodes, it means running an OS inside of an OS. We need hypervisory control at the application level. As long as your application code is running in the same environment as everything else with no hardware supported barriers, then it's not actually in a sandbox.
We compile sections of JavaScript to machine code in data memory, mark the resulting data as code and execute it. It only takes one well placed buffer overflow to get some of your memory corrupted, before data is executed as code. The corruption need not result from JavaScript to affect the JS engine. Additionally, if said JavaScript or HTML or ANY untrusted source of data is being used by native code at the same security level as the application then any bug in that native code (eg: flash, SVG, HTML5 rendering, video/sound codecs, etc) can be an open door out of the "sandbox". This is similar to how such a bug in kernel level code can give you kernel level access... Such is the case for application level code as well.
Data Execution Prevention (DEP) can be used to prevent executing data as code (eg to prevent buffer overflow data from being executed), but since the design of JavaScript makes implementations so slow and we're trying to do so much with it we actually need to execute the data as code. To gain performance we forfeit one of best tools that a "sandbox" can have.
Many that gloat over their browser performance benchmarks wilfully trade security for speed, leaving other more sensible individuals (who may instead throw hardware at a speed issue) without an option... Better browser code can't execute "faster". The hardware runs at the same speed. It can only execute less. That is: more efficiently... More speed requires better hardware, not software.
I would welcome a slower software only VM option (no just in time compiling to machine code), this way hardware DEP could be used to enforce sandboxing more strictly. Until then: My browser runs in its own OS within a hardware supported VM. I start from a fresh known-good VM image before I do anything important on the web. THAT'S a sandbox. Consequently, these restrictions mean I won't do anything important on today's mobile devices...
P.S.
Security researcher red-flags bolded for your convenience.
Its not a meme...we're just celebrating the fact that we live in a universe were we can watch a MLP franchise without being unironic as fuck.
My -1 Troll is actually a +1 funny. And my -1 flame is actually a +1 insightfull.
and the unintentional double negative means, good night.
My -1 Troll is actually a +1 funny. And my -1 flame is actually a +1 insightfull.
You can't fix stupid. The pony meme will continue until the next braindead fad thing grabs their attention.
A browser exploit is just that - an browser (application) flaw.
Did any OS allow this to become an actual exploit, and if so, which OS?
Wasn't the word "pwn" derived from "own" to begin with? That would make "Pwn2own" seem to be a bit redundant, i.e. that is to say somewhat unnecesarily superfluous and verbose; lacking in the concise.
It's also possible to break out of hardware VMs. Why? Because there's no such thing as a hardware VM. There's hardware-enhanced VMs, but there's still driver and other code which has to interact with the guest OS, thus opening vectors for attack with a much larger attack surface than between two discrete boxes. There have been such exploits published, there are no doubt many unpublished, and there will be more in the future.
Sorry to rain on your parade.
really?
no wonder why the black market is flourishing
they should really increase the rewards
if they want to stay ahead of the curve
To further rain on the "VMs, even hardware ones, aren't exploitable" parade, the history of hacking the PS3 is always a fun read-
http://wiki.ps2dev.org/ps3:rsx
"
FIFO workaround
The hack consists of asking the Hypervisor to return without waiting for a blit to end. After the Hypervisor returns there is a small length of time during which the FIFO or FIFO registers can be modified before the GPU has finished reading the command. This will occur when a large blit is decomposed into many smaller 1024×1024 blits by the Hypervisor. The last operation pushed to the FIFO by the Hypervisor is a wait for the GPU engine to go idle. By skipping this operation, it is possible to enqueue more commands to the FIFO for the GPU to execute. So the hack consists in either patching the last operation with a NOP, or changing the FIFO write pointer to stop earlier.
"
It's not a meme.
This.
We live in a universe in which the creators of the cartoon can put the equations that explain time dilation (at constant acceleration) into a 2-second cameo (at 14:22 into Season 2, Episode 20 - "It's About Time") that leads into a character coming to the conclusion that she has to stop time. Every equation on that blackboard is real. (The thing that looks like a percent sign is a gamma-sub-zero, etc.)
And in which we can have it all hashed out and documented within 12 hours of the show being aired this morning.
When we were in college, we had to explain to our parents why we still loved Bugs Bunny, and then, why we loved Futurama. Now it's a new generation's turn to explain to us why we think MLP is funny.
Obligatory Hack: Pinkie Pie? In my computer?
There's a difference between an internet meme from a fandom. Lolcats, advice animals, or rage comics are memes. Browncoats, Trekkies, Whovians, ect. are clearly not. Guess where ponies fall?
We like a particular show. That isn't much different than any other fan group.
Wait, I thought pink was the new black.
How can I believe you when you tell me what I don't want to hear?
Huh, that's a pretty neat catch. That's got to be one of the cooler Easter eggs I've seen in a while. I'm always a bit baffled by how much some people can find in that show...I have a hard enough time just trying to find Derpy...and I usually can't even do that until I see a screenshot pointing it out.
That guy just got himz a j-o-b.
The first one jumped out at anyone who ever took first year physics (or even AP physics in high school if they were lucky). The other lines were trickier.
Punchline: That particular bit got sussed out a few hours ago on The Imageboard That Shall Not Be Named. Yes, that one. With the four, and the ch, and the an. And the /mlp instead of the /second-letter-of-the-alphabet. Thread was /res 513617
You can to accept that virtual security is the same as physical security and cannot be perfect in the real world.
See with physical security, we've known this forever. You can't design the unbeatable system. No matter what you design, someone can figure out a way to overcome it, through brute force if necessary. You can't secure something to perfection. So you don't try, you design security to repel any likely threat you you rely on defense in depth so that if one layer fails, the whole system doesn't fail.
However many geeks seem to have talked themselves in to the idea that you can have perfect virtual security. Just use browser X on OS Y and there is no way anything evil can get you, kind of thing. Well I think that is false. You can't have perfect virtual security. Instead, you just have to make it as good as you can against the threat you are likely to face, and then have defense in depth.
Patch your OS and browser, run an on access virus scanner, run a client firewall, have a network firewall, run as a deprivileged user, use things like ASLR and DEP, be safe about your browsing, monitor your system, etc. Don't rely on a single thing to keep you safe, rely on many. Realize that all your layers have defects. Fix them when found, but understand there is no perfection.
This whining that nobody can build something perfect is just stupid. No, they can't, we never have, never will. Deal with it. We don't move out of our houses because they aren't perfectly secure, we aren't going to stop using our computer because they aren't perfectly secure. Get good layered defense and stay on top of it. That is all you can do, all we've ever been able to do.
he said hackers. he didn't say anything about the damn pony.
reading comprehension: it's hard when you're stupid!
You missed the key issue.
A browser exploit is just that - an browser (application) flaw.
You're missing the key issue- the browser is just the attack vector.
The article is talking about one guy who used a chain of 3 Chrome-only exploits (not using any 3rd party addons/plugins and not using any OS bugs/exploits) to fully escape the sandbox which means this is not an OS specific exploit.
To answer your question- if you consider the ability to take any and all actions as if you were the user running the browser to be an exploit, then yes all of them.
I cannot believe how many retards with mod points are into little ponies. I don't give two shits that the time dilation equations were in some episode.
It would be nice if every children show used the real equations, in the spirit of promoting STEM education and hiring some additional people from the field to the entertainment industry.
celebrating the fact that we live in a universe were we can watch a MLP franchise without being unironic as fuck.
I am guessing you meant to write "without being ironic as fuck"
Brohoof?
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
You didn't read the article, did you? The Chrome bugs were used to break free of the sandbox, and run arbitrary code on the operating system, which was a fully patched and up-to-date Windows 7.
An browser? Is that the program an hero would use to view webpages and stuff?
Listen to this guy, he's got the right of it: we've got opportunity in this very community...
finally : )
bring bak the ponies!!
>unironic as fuck
'sincere'?
The question is whether the flaws are in one of these implementations, in the OS APIs that these depend on, or in the higher-level code that's shared among all platforms. The Windows sandboxing implementation is the most complex (about 20KLoC, while the Capsicum implementation is the simplest at around 100LoC) so it presents the largest attack surface.
I am TheRaven on Soylent News
Wow, you wrote a very long post to say 'I don't know what I am talking about'.
Every process is sandboxed in a hardware VM. It is using a different instruction set which is restricted from doing anything related to I/O. No process can do anything other than touch its own memory and issue system calls. If it wants to open a socket or access the filesystem, it must issue a system call and then the kernel decides whether to permit this.
Modern browsers (including Chrome) make use of this by running the rendering process - including the JavaScript - inside a separate process that has a restricted set of rights. Typically, this means no access to the filesystem. As such, even if the JavaScript engine has an arbitrary code execution vulnerability, all that the attacker can do is run code inside the process - any system calls that try to touch the rest of the system will just return failure. You also need to find a bug in the sandbox, meaning either a vulnerability in the OS, or a flaw in the policy defined by the browser.
I am TheRaven on Soylent News
Apart from your joke about an imageboard meme related to someone who was cyberbullied into suicide:
Not everybody was brought up speaking English. Other languages' articles (e.g. een, ein, un) don't drop the N before a vowel. I bet grandparent's English is better than your Tlingit.
Tell them they must stop this hippocracy.
This might be the first time I've seen a misspelling of "hypocrisy" used as a legitimate pun (hippo=horse, cracy=government). And it isn't even a copypasta (or at least one indexed by Google). Bravo.
websites shouldn't rely on [Flash Player] (offer alternative functionality such as downloads or HTML 5 video)
For a vector animation or a game that was made in Flash or another SWF-making tool, what would such "downloads" be, other than the SWF itself? A vector animation such as "Badger Badger Badger" would become ten times bigger in bytes if automatically converted to WebM or MP4, and a game would become a playthrough video.
Browncoats, Trekkies, Whovians, ect. are clearly not.
But are Browncoats, Trekkers, and Whovians a decidedly different demographic from the one that the series' producers originally targeted?
We like a particular show. That isn't much different than any other fan group.
Milhouse is not a meme. "The Simpsons has a fandom" is not a meme. "MLP:FIM has a periphery fandom" is not a meme. But constantly making in-jokes that only "bronies" (the periphery fandom of MLP:FIM) would get is a meme.
it's getting annoying. 0-day means exploited the day the vulnerability is exposed. You can have a 0-day exploit. There is no such thing as a 0-day vulnerability.
I wrote my first program at the age of six, and I still can't work out how this website works.
The current generation seems to be mostly full of beta males. What else could explain MLP's fan base...
Run the JavaScript in a separate process as a nobody user, with all ability to make system calls completely disabled, except for a socket used to communicate with the browser process. Now, there is no way to corrupt the memory of the JS engine from a browser bug, and reciprocally even if the JS engine is compromised all it can do it talk through the socket. Perfect, no, more effective yes, easy to implement yes.
It's also possible to break out of hardware VMs. Why? Because there's no such thing as a hardware VM. There's hardware-enhanced VMs, but [...]
I have the image of software breaking out of hardware VMs and becoming a person (perhaps in a robot first, then after Gepetto...).
Sorry to parade on your rain. :)
I feel fantastic, and I'm still alive.
Well said, & pretty wise: Personally, the Operating Systems we use get better all the time, & are getting more 'solid' security-wise vs. bugs & just how they 'let a user go @ it' (ala least privelege for example, even Windows adopted it, as it IS a good idea to protect one from ONE'S OWN SELF)...
HOWEVER, as I *think* you're pointing out?
It's the apps that are problematic mostly/more, & bear the "intrusion gateways"/holes/chinks in the armor...
* Scripting documents for example, & I don't mean just things like MS' OLE compound ones (Word docs, Excel spreadsheets, Access DBs, PowerPoint presentations etc. ) or Adobe PDF's even, but even the WEB's HMTL?
I never thought it was a good idea, & here we are today + for years now, dealing with the consequences in 'malicious code' in them!
APK
P.S.=> There is some "good in the bad" though - the holes still present do keep jobs going, even though I would rather have a "bulletproof" application & OS world out there (probably will NEVER happen, just like perfectly 'good' human beings never will, morality-wise, because @ times, desperation can make the best folks go 'bad')... apk