Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:02 PM
Connect Directly

Two Zero-Day Flaws Used To Bypass Google Chrome Security

French researchers say they hacked their way out of browser's sandbox, bypassed DES and ASLR

Researchers at French firm VUPEN Security yesterday posted a video of a hack they say they executed using two zero-day vulnerabilities in Google's Chrome browser that successfully bypassed its sandbox and other security features.

VUPEN -- which withheld technical details of the bugs in its disclosure -- had not disclosed the bugs or any details to Google as of this posting. The security firm provides details of vulnerabilities it discovers to its paying government customers. "We did not publicly disclose any technical details of the vulnerabilities for security reasons. We did not send the technical details of the vulnerabilities to Google, and Google did not ask us to provide these details," says Chaouki Bekrar, CEO and head of research at VUPEN.

A Google spokesperson said in a statement that without any details on the hack, the company is unable to verify it. "We're unable to verify VUPEN's claims at this time as we have not received any details from them. Should any modifications become necessary, users will be automatically updated to the latest version of Chrome," the spokesperson said.

Chrome's sandbox features, which run an application in a restricted environment to protect the system, as well as the use of ASLR and DEP, had made the browser relatively impenetrable to hackers. Adobe also uses Chrome's sandboxing technology, but VUPEN's Bekrar says Adobe's software is not vulnerable to the new hack.

Bekrar says VUPEN employed two different bugs its researchers discovered: one that's exploited inside the sandbox, and one that's executed outside of it. "The first one results from a memory corruption leading to the execution of the first payload at low integrity level, inside the sandbox," he says. "A second payload is then used to exploit another vulnerability, which allows the bypass of the sandbox and execution of the final payload with medium-integrity level, outside the sandbox."

The exploit, demonstrated here using Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64), with the user being lured to visit a malware-rigged Web page, also bypasses Microsoft's Address Space Layout Randomization (ASLR) security function and Data Execution Prevention (DEP) attack mitigation feature, and works on all Windows systems, including Windows 7 Service Pack (SP) 1, Windows Vista SP2, and Windows XP SP3, according to Bekrar.

Microsoft's ASLR protects Windows from an exploit attempting to call a system function: It places code in random areas of memory that make it more difficult for an attacker to run malware on a machine. DEP prevents an exploit from directly injecting and executing code from sections of memory used for data.

VUPEN Security early last year said it was able to bypass DEP on IE 8 and execute arbitrary code, and that it had sent its exploit code to Microsoft to examine. Other vendors have demonstrated DEP and ASLR bypass attacks: Core Security Technologies discovered a flaw in Microsoft's Virtual PC hypervisor that can be used by an attacker to cheat DEP and ASLR. And independent researcher Peter Vreugdenhil at CanSecWest 2010 waged a heap overflow attack on IE 8 and used a zero-day vulnerability he discovered in the browser to bypass Windows 7's built-in anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

VUPEN's Bekrar says it took the researchers "many weeks" to find a way to bypass Chrome's sandbox. "Chrome has probably the most secure sandbox in the market, and it took us many weeks to find a way to bypass it," he says. "We have been looking into its whole attack surface and features to find a hole allowing the escape from the sandbox."

Anup Ghosh, founder and chief scientist at Invincea, says it's no surprise that the sandbox was hacked. "We always knew from the very beginning, while an internal sandbox is a good idea, architecturally you've still got a lot of residual attack space within the browser," Ghosh says. "It's always just been a question of when it would happen."

And the hack highlights just how the sandbox -- albeit an extra layer of security -- is still just another piece of software that has vulnerabilities of its own, experts say. "Like other security features, such as ASLR, sandboxes are very important as they make exploitation much harder and mitigate threats; however, a sandbox is not unbreakable as it is itself a piece of software, which can be affected by vulnerabilities," Bekrar says.

Invincea's Ghosh says he expects the vulnerabilities to be exploited -- initially by sophisticated attackers targeting specific organizations, and then, eventually, by organized crime syndicates. "I have no doubt that this vulnerability will be exploited. The fact that they are not making it public makes it far more valuable," he says.

Meanwhile, there are no ways for Chrome users to protect themselves from these types of attacks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.