CanSecWest Pwnium: Google Chrome hacked with sandbox bypass
Summary: The attack, which included a Chrome sandbox bypass, was the handiwork of Sergey Glazunov, a security researcher who regularly finds and reports Chrome security holes.
VANCOUVER -- A Russian university student hacked into a fully patched Windows 7 machine (64-bit) using a remote code execution vulnerability/exploit in Google's Chrome web browser.
The attack, which included a Chrome sandbox bypass, was the handiwork of Sergey Glazunov, a security researcher who regularly finds and reports Chrome security holes.
Glazunov scored a $60,000 payday for the exploit, which targeted two distinct zero-day vulnerabilities in the Chrome extension sub-system. The cash prize was part of Google's new Pwnium hacker contest which is being run this year as an alternative to the more well-known Pwn2Own challenge.
According to Justin Schuh, a member of the Chrome security team, Glazunov's exploit was specific to Chrome and bypassed the browser sandbox entirely. "It didn't break out of the sandbox [but] it avoided the sandbox," Schuh said in an interview.
[ SEE: Charlie Miller skipping Pwn2Own as new rules change hacking game ]
Schuh described the attack as "very impressive" and made it clear that the exploit "could have done anything" on the infected machine. "He (Glazunov) executed code with full permission of the logged on user.""It was an impressive exploit. It required a deep understanding of how Chrome works," Schuh added. "This is not a trivial thing to do. It's a very difficult and that's why we're paying $60,000.
Glazunov is a regular contributor to Google's bug bounty program and Schuh raved about the quality of his research work.
Schuh said Glazunov once submitted a similar sandbox bypass bug but stressed that these kinds of full code execution that executes code outside the browser sandbox form a very small percentage of bug submissions.
Google's Sundar Pichai says the company is "working fast on a fix" that will be pushed out via the browser's automatic update utility.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I'm shocked, shocked I tell you, to hear that chrome has security bugs
As has been documented by Google Engineers in their Chromium 'Caveats'
[b]Caveats:
"The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer. Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.
In addition, third party software, particularly anti-malware solutions, can create new attack vectors. The most troublesome are applications that inject dlls in order to enable some (usually unwanted) capability. These dlls will also get injected in the sandbox process. In the best case they will malfunction, and in the worst case can create backdoors to other processes or to the file system itself, enabling specially crafted malware to escape the sandbox."[/b]
Windows 7 and all revisions share the same legacy WinNT kernel.
The Windows kernel cannot police itself.
Unlike Windows, Linux LSM can and does police the actions taken by the kernel.
This is what makes Linux the more secure solution and with an App sandboxed in LSM, there isn't a worry about zero day exploits. They have no effect whatsoever.
This exploit will be confirmed as a DLL injection attack which the Google Engineers cannot protect against.
Questions ?
Can my grandmother enable it without opening a terminal window ?
If enabled will it break anything else ?
And ...
I don't know why we bother with DTS: He keeps posting that LSM is the silver bullet and saviour from all malicious attacks. You, I and others keep pointing out the well-known flaws with LSM, which he continues to ignore.
Sad really.
Answers
"Can my grandmother enable it without opening a terminal window ?" Dear dear grandma-ma has passed (though she may be using Linux where she is now :-) ), but i'll answer for my mom - yes, she enables it by booting the machine, because I've configured it in.
"If enabled will it break anything else ?" - no, because I test required apps.
Less tongue-in-cheek, I understand what you're poking at - that it's not enabled by default in many distros, and that a non-IT end user might have difficulty doing so. But that's a criticism of the Linux business and distribution model, not the security capabilities of Linux. And certainly for a professional setting, where an IT dept appropriately controls the configuration of any client OS, it's completely relevant that LSM-leveraging implementations provide significant security benefit.
So you're ignoring his point by deliberately poking at non sequiturs. No, Linux doesn't have the same business model as Windows, where one company takes near-complete responsibility for the security of the OS. Understood, there's advantages to that model (and to the Linux model as well -- not least of which is the non-homogeneity dilutes the value of any potential exploit).
Now, bitcrazed's comment below is different - pointing out that exploits are still possible. True - but it has to be viewed from a defense-in-depth perspective, and such potential exploits understood in context. What would it take to create the environment needed for the exploit he lists? And what process is not LSM protected? Just saying "there's ways around it" doesn't mean there's practical exploits available. And it STILL doesn't mean it's not better than alternatives, e.g., the Windows security model.
RE: Questions ?
Depends on the Linux distro and specific app. Debian? No. Ubuntu/Linux Mint? Yes, for services such as cups, but not for Firefox.
[i]Can my grandmother enable it without opening a terminal window ?[/i]
Depends on the distro. Both openSUSE (uses AppArmor) and Mandriva (uses Tomoyo) include GUI tools for building LSM app profiles and policies. Still, users must adequately 'train' their apps. I suspect that many users would also be stumped with the GUI tools.
[i]If enabled will it break anything else ?[/i]
Depends on the default profile/policy provided by the distro and how one uses their web browser. Add-ons, plug-ins (e.g., Flash, Java, PDF Reader, media player), printing (to a printer or PDF/PS file), downloading files and starting one's email client when an email address hyperlink is clicked could easily be broken.
What's interesting is that Google has chosen NOT to use LSM for sandboxing Chrome/Chromium on Linux. Why? There's too much variability among the distros wrt the LSM used (e.g., SELinux, AppArmor, Tomoyo) and whether or not an LSM is enabled by default (e.g., Debian). Instead of LSM, the default sandbox for Chrome/Chromium uses suid, chroot and clone. And most importantly, Chrome/Chromium is sandboxed by default on most Linux distros requiring no action by users.
This confirms to me you don't understand.
But a software vendor doesn't choose LSM for their App. LSM is part of the Linux Main Line Kernel (DKMS) installable by a 'User' who choose which application to sandbox with it.
An exploit CANNOT propagate from a running App which is sandboxed in LSM.
If you choose to not run LSM, then you are left with Linux default security matrix and Chrome's internal sandboxing defense measures, which by themselves are pretty good.
If this was indeed the case here, don't you think Google would
"???It was an impressive exploit. It required a deep understanding of how Chrome works,??? Schuh added. ???This is not a trivial thing to do. It???s a very difficult and that???s why we???re paying $60,000."
Didn't see a single reference to a deep understanding of how Windows allows Chrome to be exploited.
I think you fib to further your agenda.
I think you miss the point.
It is the role of the operating system to defend against attacks, not the app.
This is the point of LSM standing outside the kernel and policing all the app and kernel (both) activities--it is a third party monitor.
Windows has no such capability. LSM does not exist.
Thus, placing any App generally speaking in LSM on Linux won't stop developers from writing code with bugs that can be exploited. What it does is stops zero-day exploits from gaining privilege escalation.
Please educate yourself. Developers should not be the bearers of full responsibility for the security of the underlying operating system.
There's no agenda here other than to educate the readers who may not know such as yourself.
I think this time YOU miss the point.
Windows "OS"
Let's hope WinRT will change that. It's 21st century already.
go fans
Incorrect. This will not be confirmed by Google engineers as
Making excuses for your misplaced trust in open sorce software will not change the facts.
:|
An LSM related issue? On a Win7 box?
And "poor coding"? This guy isn't a script kiddie ...
Dietrich, Dietrich, Dietrich...
The attack, [i]which included a Chrome sandbox bypass[/i], was the handiwork of Sergey Glazunov, a security researcher who regularly finds and reports Chrome security holes.[/b]
This quote from the article says it all. Emphasis mine.
dfdd
Outdoor Leisure Products Electrical Gifts http://www.chinawholesaletown.com/wholesale-Fishing/ Mouse Pad
Wholesale Calendar Wholesale Racks http://www.chinawholesaletown.com/wholesale-Apron/ Jewelry
Wholesale Bracelet Silicone Products http://www.chinawholesaletown.com/wholesale-Medicine-Instrument/ Fan
Wholesale Puzzle Wholesale Massager http://www.chinawholesaletown.com/wholesale-Furniture/ Tableware
Wine Set Industrial Supplies http://www.chinawholesaletown.com/wholesale-Pen-Holder/ Scarf
Wholesale Scissors Wholesale Lighter http://www.chinawholesaletown.com/wholesale-Jewelry/ Heating Products
Lunch Box Wholesale Mouse http://www.chinawholesaletown.com/wholesale-Clothes-Rack/ Wedding Favors
Wholesale Flashlight Wholesale Helmet http://www.chinawholesaletown.com/wholesale-MP3---MP4---MP5-Player/ lable
Business Gift Health Care Products http://www.chinawholesaletown.com/wholesale-Stapler/ Whistle
Wholesale Album Wholesale Apron http://www.chinawholesaletown.com/wholesale-Valentine-Gifts/ Promotional Gifts
Wholesale Racks Wholesale Memory Card http://www.chinawholesaletown.com/wholesale-Poncho-Raincoat/ Reflective Safety Vest
Poncho Raincoat Wholesale Mp3 http://www.chinawholesaletown.com/wholesale-Glasses/ Mobile Phone
Health Care Products Wholesale Hardware Tools http://www.chinawholesaletown.com/wholesale-Recorder-Pen/ Pin
Wholesale Umbrella Electroluminescent http://www.chinawholesaletown.com/wholesale-Entertainment/ First Aid Kit
Wholesale Swimming Products Wholesale TelePhone http://www.chinawholesaletown.com/wholesale-USB-Products/ Sticker
Wholesale Kitchenware Wholesale Tag http://www.chinawholesaletown.com/wholesale-First-Aid-Kit/ Cards
Wholesale Sticker Wholesale Stationery http://www.chinawholesaletown.com/wholesale-Waterproof-Case/ Poncho
Wholesale Towel Entertainment Supplies http://www.chinawholesaletown.com/wholesale-Dartboard/ Dartboard
Wholesale Gift Bags Voice Recorder http://www.chinawholesaletown.com/wholesale-Bracelet---Bangle/ Promotional Products
Wholesale Mat Money Clip http://www.chinawholesaletown.com/wholesale-Silicone/ Pet Supplies
Tape Measure Wholesale Sticker http://www.chinawholesaletown.com/wholesale-Halloween-Gift/ Lighter
Gift Box Beauty Equipment http://www.chinawholesaletown.com/wholesale-Belt/ Tie
Baby Products Suppliers CD Holde http://www.chinawholesaletown.com/wholesale-Whistle/ Towel
Wholesale Tableware Vocal Concert Products http://www.chinawholesaletown.com/wholesale-Bracelet---Bangle/ Lighting Products
Wholesale First Aid Kit Wholesale Scarf http://www.chinawholesaletown.com/wholesale-Lanyard/ Glass
Garden Decorations Wholesale Speakers http://www.chinawholesaletown.com/wholesale-Bag/ Frisbee
Entertainment Supplies Wholesale Compass http://www.chinawholesaletown.com/wholesale-Consumer-Electronics/ Scissors
Wholesale Memory Card Wholesale Knife http://www.chinawholesaletown.com/wholesale-Mouse/ Massager
Wholesale Radio Giveaway Material http://www.chinawholesaletown.com/wholesale-Sticker/ Money Bank
Wholesale Camera Eye Mask http://www.chinawholesaletown.com/wholesale-Compass/ Valentine Gifts
Wholesale Clothes Rack Wholesale Carabiner http://www.chinawholesaletown.com/wholesale-TelePhone/ Industrial Supplies
Wholesale Bookmark Safety Products http://www.chinawholesaletown.com/wholesale-Mirror/ Pen
Wholesale Bangle Wholesale Glove http://www.chinawholesaletown.com/wholesale-Scissors/ Tape Measure
Fishing Supplies Wholesale Candle http://www.chinawholesaletown.com/wholesale-Advertising-Material/ Radio
Wholesale Stationery Inflatable Products http://www.chinawholesaletown.com/wholesale-Name-Card-Holder/ Raincoat
Christmas Gifts Outdoor Leisure Products http://www.chinawholesaletown.com/wholesale-Money-Bank/ Recorder Pen
Wholesale Glove Recorder Pen http://www.chinawholesaletown.com/wholesale-Pedometer/ CD Holde
Wholesale Earphone Wholesale Flashlight http://www.chinawholesaletown.com/wholesale-Computer-Accessories/ Hair Products
google propaganda
GIVE ME CASH I CAN DIE FOR THAT