At the 2011 CanSecWest Pwn2Own hacker contest, Google Chrome was the one browser that challengers could not break into. Fast forward to the 2012 challenge, and Chrome was the first to fall, thanks to a team of French hackers who found a previously unknown vulnerability in the software.
VUPEN, a vulnerability management solutions firm that often deals with government agencies, took aim at Chrome this year and made a bold statement once they hacked in: no software is unbreakable if hackers have enough motivation to prepare and launch an attack.
And surprisingly, this was only the first of two attacks made on Google’s Chrome browser in a span of only a few hours on the opening day of the annual contest. Google had sponsored a separate contest at the event, which also saw the browser fail dramatically.
By being the only browser left standing at the 2011 event, a huge bulls-eye was painted on Chrome’s back for hackers to try and hit. In a perfect world, Chrome would have shot down any takers. But this is no perfect world, and hackers proved that yesterday.
The Pwn2Own contest takes place at the annual CanSecWest security conference in Vancouver, British Columbia. The goal of the contest is to exploit browsers and mobile devices to take full control of the system. Hackers who break the system, receive the device they hacked and a cash prize. The contest sponsor, TippingPoint, provides a report of the vulnerabilities to the applicable vendor of the system, detailing how the vulnerability was exploited. The details of the vulnerability are not made public until the vendor has corrected the vulnerability.
VUPEN was the first team to successfully hack Apple’s Safari browser last year, so it only seemed fitting that it was the first to break Chrome this year. It set its sights on the browser after first developing a plan of attack for six weeks. Its method took advantage of two zero-day exploits — unknown issues with a shipping product — and a baited website set up during the hack. Once the computer visited the site, the exploit ran and opened up the Chrome calculator extension outside of the browser’s sandbox, demonstrating complete control of the fully patched 64-bit Windows 7 machine.
“We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox,” VUPEN co-founder and head of research Chaouki Bekrar told ZDNet in an interview at the contest.
However, he declined to say if any of the exploits targeted third-party code in the browser. “It was a use-after-free vulnerability in the default installation of Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.”
VUPEN previously released a video showing them cracking Chrome, but Google rejected it, stating the hackers used exploits found in third-party code, most likely Flash. Though VUPEN declined to say how they gained control of the system, they did note they had hacked a completely default version of the browser. Because Flash is pre-installed as part of Chrome, they could very well have used a similar exploit.
“We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year,” Bekrar told Ryan Naraine of ZDNet.
Even though Chrome fell this year, Bekrar told ZDNet that “the Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox.” Still, if you have the drive, the know-how and a simple booby-trapped webpage at your fingertips, anything is possible, he added.
In Google’s sponsored contest, dubbed “Pwnium,” a contestant was able to bypass the Chrome sandbox so he could execute any code of his choosing on the underlying machine. However, Google said the $60,000 reward was not given up, because the contestant didn’t use the required exploit code to bypass the sandbox.
The Pwn2Own contest, now in its sixth year at the CanSecWest conference, has developed a new set of rules for hackers. In the past, TippingPoint paid as much as $15,000 to the first person who exploited a fully patched version of each targeted software. This year, competitors score 32 points for zero-day vulnerabilities and an additional 10 points each for exploiting six already patched security flaws. Monetary rewards are given to top point scorers at the event‘s end.
The new rules require nimbleness on the part of contestants because they learned which six patched flaws were eligible only as the competition got underway. TippingPoint gave hackers a virtual machine containing only a trigger that caused each browser to crash. It was then up to the hackers to use their tools to isolate the cause of the crash and to engineer an exploit that allowed them to remotely execute code.
“It’s really challenging because you don’t only need to show you can create sophisticated exploits but you also have to show that you can create exploits very quickly,” Bekrar said. “Our team creates exploits every day, every year, so for us it was a nice challenge.”
So far, VUPEN has exploited three of the six eligible vulnerabilities. That left VUPEN with 62 points as day one of the contest wound down. Contestants will have the same chance to exploit vulnerabilities on Thursday and Friday, although the points scored diminish over time.
Bekrar said VUPEN plans to exploit the remaining patched vulnerabilities today.
On the Net: