How Google set a trap for Pwn2Own exploit team

How Google set a trap for Pwn2Own exploit team

Summary: Here's the story of how a unique signature was used to figure out if exploit writers would take aim at the Flash Player plugin in Google Chrome browser.


(The VUPEN exploit team with Nicolas Joly at far right)

VANCOUVER -- Last May, when security researchers from VUPEN posted this video to gloat about demo a code execution exploit -- and sandbox bypass -- against the Google Chrome browser, the security response folks at Google took a close look and found enough evidence that the exploit actually hit the Chrome Flash Player plugin.

At the time, the two companies publicly sparred over the origin of the vulnerability with Google intent on making the distinction that the faulty code was supplied by Adobe and VUPEN insisting that it didn't matter because the exploit worked against the browser's default installation.

follow Ryan Naraine on twitter

Fast forward to CanSecWest and Pwn2Own 2012.   As you know, Google launched an alternative to Pwn2Own to ensure it got the full rights to any sandbox exploitation so when the VUPEN team announced it would arrive here with a Chrome zero-day, the Google Chrome security team decided to set a trap.

Google could figure out very easily if a certain exploit technique  was being used.  Even more, if an attack targeted third-party (er, Adobe Flash Player)  code, they could pinpoint the technique.

In this case, the Google Chrome security knew that the Flash Player plugin sandbox is significantly weaker and that an exploit against Chrome's Flash Player would have to go through a certain path.

Having figured out that Vupen used that technique (from the May video), Google decided to add a specific protection for Flash.

On March 5, the protection was added to Google Chrome 17.0.963.65.  When the protection triggers, it generates a very unique signature -- 0xABAD1DEA -- which is hexidecimal that spells out "a bad idea." The protection was meant to make the browser resilient to certain attacks but in a bit of cat-and-mouse, it was left in there to see if anyone would find it and make a public comment.

The VUPEN team arrived at CanSecWest and during testing of its exploits for Pwn2Own, they stumbled into the exception.  VUPEN exploit writer confirmed on Twitter:

Once that tweet went out, it was clear to Google that VUPEN was targeting Flash Player to attack Chrome. Although the Googlers can't confirm 100% that VUPEN's tweet wasn't part of a big ruse, they knew for sure they were were attempting an exploit that triggered that specific exception.

VUPEN co-founder Chaouki Bekrar, an outspoken exploit writer who insisted the team deliberately targeted Chrome to prove a point, was uncharacteristically coy when asked if the faulty Chrome code came from Adobe.

”It was a use-after-free vulnerability in the default installation of Chrome,” he said. “Our exploit worked against the default installation so it really doesn’t matter if it’s third-party code anyway.” Bekrar told me.

His careful wording was a sign that Flash Player was indeed the Chrome weak link.

Maybe Google already knew this.  Because of a well-placed cat-and-mouse trap.


  • Pwn2Own 2012: Google Chrome browser sandbox first to fall
  • CanSecWest Pwnium: Google Chrome hacked with sandbox bypass
  • Charlie Miller skipping Pwn2Own as new rules change hacking game
  • CanSecWest Pwn2Own hacker challenge gets a $105,000 makeover
  • Topics: Google, CXO, IT Employment

    Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


    Log in or register to join the discussion
    • Even if it is the Flash

      I agree with the guys at VUPEN. Who cares if it's a problem with Flash and not Chrome? This is a plugin that's provided with the Chrome download, installed by default, i.e. most Chrome users will have it, barring anything weird.
      • Adobe and Google developers care

        In the end the vulnerability exists in the default install. Given it was the first to fail the MS fanboys will presumably use this as proof it is the least secure (despite all browsers falling at the same stage of the comp).

        Identifying the code also helps targeting security resources given the teams reluctance to disclose the vulnerability (except to customers).
        Richard Flude
        • Sorry, but you got it wrong

          Microsoft doesn't bundle Adobe software with IE. Google does, so the onerous is on them. As with any OEM-type company, if they bundle a third-party product, the vendor of the host product is responsible for support and maintenance for the end-user.
        • Onus vs onerous

          FYI, Joe_Raby, it's "onus" (n.) not "onerous" (adj.) as in "the onus is on them" vs. "that was an onerous job". Hope this helps.
      • Probably

        The people who to go in and plug the hole, you know to protect us from the evil hackers out there.
      • of course its important

        If its a problem with the plugin your option is to remove the plugin and continue with chrome knowing its secure. But if the problem is chrome then you are jacked from the start. If someone said you have cancer but one is early stage that can be removed while the other is not treatable in conventional ways you would care wouldn't you.
    • RE: Even if it is the Flash

      Your rational blows away every excuse Microsoft gives for 3rd party exploits on Windows.
      • Am I getting your rational straight?

        So if IE is exploited through a 3rd party, it's MS's fault, but if Chrome is exploited through a 3rd party, it's not Google's fault?
        William Farrel
        • Well...

          While I do think these things are just a bit of a sideshow (and have got very little to do with actual security in the wild)...

          You ship with something you assume responsibility. The distinction between "our code" and "their code" is rather academic if it's used in an exploit - to the user it's all the same.
    • Or maybe Google's trying to save face?

      It sure sounds like a pretty lame "explanation".
      William Farrel
    • Duh!

      Google is all about propaganda... Chrome was the first to fall , period. Trying to twist that story will only make it worse and make look google more cheap...
      • To the contrary

        Chrome was the last to fail. All other browsers failed in previous years. Pwnium was set up because Google wanted to encourage more attacks so that they could make the browser even more secure, not just rest on their laurels as the only unexploited browser.
        • Actually

          Pewnium was set up because Google wanted team to share all the exploits they use to hack chrome.

          The official contest change the rules so that teams no longer have to share exploits with the browsers developers.
      • Well, then...

        If there's a massive wall and a weak one, and the massive one is blown up first, it's weaker even though it just were broken first *because it was the first one they tried to break*?
    • Give Google some credit with Chrome

      By including the Flash and PDF Reader plug-ins with the Chrome web browser, Google is trying to provide enhanced security to their users. Both plug-ins are transparently updated and require no action by users (unlike Java). Chrome also provides transparent updates to the browser itself. And old, unpatched browser plug-ins, especially Flash, Java and Adobe Reader, are a major reason that consumers get their PCs pwned.

      Want to reduce your exposure to 0-day attacks? Use Chrome's built-in whitelisting capability to manage use of 3rd party plug-ins. Ditto for JavaScript. Frequently-visited sites, aka 'trusted sites', are allowed the use of 3rd party plug-ins and JavaScript by default. All other sites are not, but one can decide on a case-by-case basis whether to temporarily allow their use.
      Rabid Howler Monkey
    • Humour

      And who said programmers doesn't have any sense of humour.
      0xABAD1DEA , just four bytes but can make any zdnet readers smile.
    • Monster Dre Beats

      One of the reasons I started this <a href="">Monster Dre Beats</a> blog was to share the discussions I have been enjoying with <a href="">Monster Beats Studio</a> Good Word readers who write in questions and comments about <a href="">Monster Beats Pro</a>.Not long ago Jane Quein wrote, ???Another often misspelled word <a href="">Cheap Monster Beats</a> or mispronounced word is congratulations <a href="">Monster Beats Outlet</a>. Many people spell is congradulations . I???ve seen it spelled this way on many outdoor signs <a href="">Cheap Monster Dre Beats</a>. Misspelled words drive me crazy <a href="">discount monster beats</a>!???
      • What the ... ?

        I'm not sure if that was Spam or you're an idiot.

        Either way... wow.
        Hallowed are the Ori
        • A little from column A, a little from column B...

          Anybody that buys headphones that claim to offer superior bass handling from a spokesperson that probably already has severe low-tone deafness from his own music is an idiot.
      • The beat goes on and on and on and...

        JK!! Hey huakai0820!! Must be good drugs!!
        Arm A. Geddon