As day one of the annual Pwn2Own hacker contest wound down on Wednesday, no browser suffered more abuse than Google Chrome, which was felled by an attack exploiting a previously unknown vulnerability in the most up-to-date version. Combined with a separate contest Google sponsored a few feet away, it was the second zero-day attack visited on Chrome in a span of a few hours.
It was a rare event. To date, there are no known reports of a zero-day attack ever hitting Chrome in the wild, and at the previous three years’ contests, Chrome escaped unscathed, even as Internet Explorer, Firefox, and Safari were brought down by exploits that allowed the attackers to take complete control of the machine running the software. The chief reason: Chrome’s security sandbox—which isolates web content inside a highly restricted perimeter that’s separated from the rest of the operating system—makes it harder to write reliable attacks.
“We pwned Chrome to make things clear to everyone,” said Chaouki Bekrar, CEO of Vupen Security, which wielded the Chrome zero-day an hour or so after the contest began on Wednesday. “We wanted to show that even Chrome is not unbreakable.”
A contestant in the second contest, which Google has dubbed “Pwnium,” was also able to bypass the Chrome sandbox so he could execute any code of his choosing on the underlying machine. Sergey Glazunov wasn’t on site to discuss the hack. Google has said only that for him to win the top $60,000 reward, his exploit was required to bypass the sandbox using code native to Chrome.
Bekrar told Ars that his team’s attack exploited what’s known as a use-after-free bug to bypass DEP, or data execution prevention, and ASLR, or address space layout randomization. Both mitigations are designed to prevent hackers from executing malicious code even when they locate vulnerabilities. He said it exploited a second vulnerability that allows code to break out of the sandbox. He declined to detail the vulnerable component, except to say it was found in the “default” installation of the Google browser.
That detail led several observers to speculate that an Adobe Flash plugin was the means Vupen used to access more sensitive parts of the operating system. While Chrome runs the media player add-on in its own sandbox, the perimeter is considerably more porous than it is with other components, security researchers say. Core functionality in Flash, for instance, requires the app be able to control web cams and microphones, access system state, and connect to display monitors and other connected devices.
Now in its sixth year at the CanSecWest security conference in Vancouver, the contest rules this time around have been significantly reworked. In the past, organizer Tipping Point paid as much as $15,000 to the first person who exploited a fully patched version of each targeted software. Competitors on Wednesday scored 32 points for zero-day vulnerabilities, and they received 10 points each for exploiting already patched security flaws.
The new rules require nimbleness on the part of contestants because they learned which six patched flaws were eligible only as the competition got underway. Tipping Point gave them a virtual machine containing only a trigger that caused each browser to crash. It was then up to the hackers to use debuggers, disassemblers and other tools to isolate the cause of the crash and to engineer an exploit that allowed them to remotely execute code.
“It’s really challenging because you don’t only need to show you can create sophisticated exploits but you also have to show that you can create exploits very quickly,” Bekrar said. “Our team creates exploits every day, every year, so for us it was a nice challenge.”
So far, his team has exploited three of the six eligible vulnerabilities. It took 20 minutes to develop an attack for version 8 of IE running on Windows XP, an hour to write one that pwned Safari 5 on OS X Snow Leopard, and two hours for one that compromised Firefox 3 on Windows XP. That left Vupen with 62 points as day one was winding down. A separate contestant that had entered had no points, but it was still possible for members to submit entries until midnight. The contestants will also have a shot at the same vulnerabilities on Thursday and Friday, although the points scored diminish over time.
Vupen plans to exploit the remaining patched vulnerabilities on Thursday. But Bekrar, who said his team spent six months developing multiple zero-days for all four of the eligible browsers, said people shouldn’t be surprised if Vupen drops another one in the coming day.
“I think tomorrow we will go for another browser, just for fun,” he said.