Pinkie Pie Earns $60K At Pwn2Own With Three Chromium 0-Day Exploits

Tackhead writes "Hot on the hooves of Sergey Glazunov's hack 5-minutes into Pwn2Own, an image of an axe-wielding pink pony was the mark of success for a hacker with the handle of Pinkie Pie. Pinkie Pie subtly tweaked Chromium's sandbox design by chaining together three zero-day vulnerabilities, thereby widening his appeal to $60K in prize money, another shot at a job opportunity at the Googleplex, and instantly making Google's $1M Pwnium contest about 20% cooler. (Let the record show that Slashdot was six years ahead of this particular curve, and that April Fool's Day is less than a month away.)"

Re:WebKit

[Anonymous Coward]

Well, I don't know which of the linked articles *you* read, but the one I read clearly stated that the first attack vector was a flaw in the Flash plug-in. Chrome's sandbox apparently was then unable to protect the system against the haywire Flash plug-in. So not a flaw in WebKit, to all probability, but three others in Chrome. The article didn't state whether they counted the flaw in the Flash plug-in, but even if they did there are probably at least two flaws in the sandbox.
As it stands, it confirms what people have been saying for years: Flash shouldn't come pre-installed on computers, websites shouldn't rely on it (offer alternative functionality such as downloads or HTML 5 video) and even if you have it installed you should make sure it's turned off by default to minimise your exposure to Flash vulnerabilities. At this point Chrome does deserve credit because that is in fact possible in Chrome: menu - options - advanced - privacy - content - plugins - block all. As evidenced by that instruction, Chrome's options screen is the worst in history. It's nested too deep and a lot of things are in the wrong section to start with. Why should plug-in blocking be in the privacy section?
Note however that like last time this appeared on /. still no vulnerability details have been provided; this is failing in /. and people should have waited shoving this out until there was more substance to the story.

Re:Sandboxed? Without hardware VM support? Riiiigh

[jdogalt]

To further rain on the "VMs, even hardware ones, aren't exploitable" parade, the history of hacking the PS3 is always a fun read-

http://wiki.ps2dev.org/ps3:rsx [ps2dev.org]

"
FIFO workaround

The hack consists of asking the Hypervisor to return without waiting for a blit to end. After the Hypervisor returns there is a small length of time during which the FIFO or FIFO registers can be modified before the GPU has finished reading the command. This will occur when a large blit is decomposed into many smaller 1024×1024 blits by the Hypervisor. The last operation pushed to the FIFO by the Hypervisor is a wait for the GPU engine to go idle. By skipping this operation, it is possible to enqueue more commands to the FIFO for the GPU to execute. So the hack consists in either patching the last operation with a NOP, or changing the FIFO write pointer to stop earlier.
"

Re:WebKit

[Mr Z]

Putting "Flash" under "Privacy" makes sense if you understand how much of the Flash out there really gets used. Flash apps can store a fair bit of data locally on your HD without setting a normal HTTP cookie, [wikipedia.org] which makes tiny, invisible Flash apps handy for tracking purposes.

While the average web surfer doesn't think about Flash in that way, it's not too surprising a company that makes its fortunes on ad revenue and customer profiling understands its real role on the Web.

This is why I run flash-block, and only unblock the very occasional app and/or game I care to interact with, and not the half dozen other ones on the same page that don't seem to do anything interesting to me.

Re:Who? Did what? For HOW much? and WHY?

[Anonymous Coward]

You missed the key issue.
A browser exploit is just that - an browser (application) flaw.

You're missing the key issue- the browser is just the attack vector.

The article is talking about one guy who used a chain of 3 Chrome-only exploits (not using any 3rd party addons/plugins and not using any OS bugs/exploits) to fully escape the sandbox which means this is not an OS specific exploit.

To answer your question- if you consider the ability to take any and all actions as if you were the user running the browser to be an exploit, then yes all of them.