Johannesburg, 07 Mar 2013
Yesterday, MWR Labs (@mwrlabs) demonstrated a full sandbox bypass exploit against the latest stable version of the Google Chrome browser. The demonstration took place during the annual Pwn2Own competition at the CanSecWest conference, in Vancouver. The vulnerabilities were found and the exploit was developed by MWR researchers Nils (@nils) and Jon (@securitea).
MWR Labs showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop. By visiting a malicious Web page, it was possible to exploit a vulnerability, which allowed MWR Labs to gain code execution in the context of the sandboxed renderer process. MWR Labs also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges.
As with many modern operating systems, there were a series of memory protection mechanisms that needed to be bypassed before reliable code execution could be achieved. Specifically, Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) made it more challenging to develop a reliable exploit.
MWR Labs was able to exploit the first vulnerability in multiple ways, allowing it to leak the addresses of several objects in memory, calculate the base address of certain system dlls, read arbitrary data, and gain code execution. This allowed MWR Labs to bypass ALSR by leaking the base address of a dll, and to bypass DEP by reading that dll's .text segment into a Javascript string, allowing it to dynamically calculate the addresses of ROP gadgets.
Follow MWR Labs on Twitter (@mwrlabs) for more updates. A more in-depth technical blog post will be released once the vulnerabilities have been patched by the vendors, which will detail the process of finding and exploiting these bugs.
Share