Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/10/2011
02:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Two Zero-Day Flaws Used To Bypass Google Chrome Security

French researchers say they hacked their way out of browser's sandbox, bypassed DES and ASLR

Researchers at French firm VUPEN Security yesterday posted a video of a hack they say they executed using two zero-day vulnerabilities in Google's Chrome browser that successfully bypassed its sandbox and other security features.

VUPEN -- which withheld technical details of the bugs in its disclosure -- had not disclosed the bugs or any details to Google as of this posting. The security firm provides details of vulnerabilities it discovers to its paying government customers. "We did not publicly disclose any technical details of the vulnerabilities for security reasons. We did not send the technical details of the vulnerabilities to Google, and Google did not ask us to provide these details," says Chaouki Bekrar, CEO and head of research at VUPEN.

A Google spokesperson said in a statement that without any details on the hack, the company is unable to verify it. "We're unable to verify VUPEN's claims at this time as we have not received any details from them. Should any modifications become necessary, users will be automatically updated to the latest version of Chrome," the spokesperson said.

Chrome's sandbox features, which run an application in a restricted environment to protect the system, as well as the use of ASLR and DEP, had made the browser relatively impenetrable to hackers. Adobe also uses Chrome's sandboxing technology, but VUPEN's Bekrar says Adobe's software is not vulnerable to the new hack.

Bekrar says VUPEN employed two different bugs its researchers discovered: one that's exploited inside the sandbox, and one that's executed outside of it. "The first one results from a memory corruption leading to the execution of the first payload at low integrity level, inside the sandbox," he says. "A second payload is then used to exploit another vulnerability, which allows the bypass of the sandbox and execution of the final payload with medium-integrity level, outside the sandbox."

The exploit, demonstrated here using Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64), with the user being lured to visit a malware-rigged Web page, also bypasses Microsoft's Address Space Layout Randomization (ASLR) security function and Data Execution Prevention (DEP) attack mitigation feature, and works on all Windows systems, including Windows 7 Service Pack (SP) 1, Windows Vista SP2, and Windows XP SP3, according to Bekrar.

Microsoft's ASLR protects Windows from an exploit attempting to call a system function: It places code in random areas of memory that make it more difficult for an attacker to run malware on a machine. DEP prevents an exploit from directly injecting and executing code from sections of memory used for data.

VUPEN Security early last year said it was able to bypass DEP on IE 8 and execute arbitrary code, and that it had sent its exploit code to Microsoft to examine. Other vendors have demonstrated DEP and ASLR bypass attacks: Core Security Technologies discovered a flaw in Microsoft's Virtual PC hypervisor that can be used by an attacker to cheat DEP and ASLR. And independent researcher Peter Vreugdenhil at CanSecWest 2010 waged a heap overflow attack on IE 8 and used a zero-day vulnerability he discovered in the browser to bypass Windows 7's built-in anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).

VUPEN's Bekrar says it took the researchers "many weeks" to find a way to bypass Chrome's sandbox. "Chrome has probably the most secure sandbox in the market, and it took us many weeks to find a way to bypass it," he says. "We have been looking into its whole attack surface and features to find a hole allowing the escape from the sandbox."

Anup Ghosh, founder and chief scientist at Invincea, says it's no surprise that the sandbox was hacked. "We always knew from the very beginning, while an internal sandbox is a good idea, architecturally you've still got a lot of residual attack space within the browser," Ghosh says. "It's always just been a question of when it would happen."

And the hack highlights just how the sandbox -- albeit an extra layer of security -- is still just another piece of software that has vulnerabilities of its own, experts say. "Like other security features, such as ASLR, sandboxes are very important as they make exploitation much harder and mitigate threats; however, a sandbox is not unbreakable as it is itself a piece of software, which can be affected by vulnerabilities," Bekrar says.

Invincea's Ghosh says he expects the vulnerabilities to be exploited -- initially by sophisticated attackers targeting specific organizations, and then, eventually, by organized crime syndicates. "I have no doubt that this vulnerability will be exploited. The fact that they are not making it public makes it far more valuable," he says.

Meanwhile, there are no ways for Chrome users to protect themselves from these types of attacks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15350
PUBLISHED: 2020-07-07
RIOT 2020.04 has a buffer overflow in the base64 decoder. The decoding function base64_decode() uses an output buffer estimation function to compute the required buffer capacity and validate against the provided buffer size. The base64_estimate_decode_size() function calculates the expected decoded ...
CVE-2019-19935
PUBLISHED: 2020-07-07
Froala Editor before 3.0.6 allows XSS.
CVE-2020-11882
PUBLISHED: 2020-07-07
The O2 Business application 1.2.0 for Android exposes the canvasm.myo2.SplashActivity activity to other applications. The purpose of this activity is to handle deeplinks that can be delivered either via links or by directly calling the activity. However, the deeplink format is not properly validated...
CVE-2020-15028
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Map.php xo parameter.
CVE-2020-15029
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php sn parameter.