Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

Summary: Google is offering a $20,000 cash prize for any hacker who can successfully compromise a Cr-48 Chrome Notebook via a vulnerability -- and sandbox escape -- in its Chrome web browser.

SHARE:
TOPICS: Google
41

Google is offering a $20,000 cash prize for any hacker who can successfully compromise a Windows 7 machine via a vulnerability -- and sandbox escape -- in its Chrome web browser.

The prize is part of this year's CanSecWest Pwn2Own contest, which will pit some of the world's best security researchers and exploit writers against popular web browsers and mobile devices.   During last year's contest, Google Chrome was the only browser left standing but with the enhanced cash prize -- and publicity that goes along with a successful Chrome netbook hack -- there is a strong likelihood that someone will take aim at Chrome this year.

According to TippingPoint ZDI, the contest sponsor, a successful Chrome hack "must include a sandbox escape," which means that a privilege escalation vulnerability may have to be combined with another security hole to cause full system compromise.

[ Pwn2Own 2010: iPhone hacked, SMS database hijacked ]

Kernel bugs and plugins other than the built-in PDF support are all out of scope for Chrome, TippingPoint ZDI said.

follow Ryan Naraine on twitter

As is customary, the CanSecWest conference organizers are offering cash prizes for researchers who use zero-day (unpublished) browser flaws to remotely launch code against a 64-bit Windows 7 or Mac OS X machines.

This year the web browser targets will be the latest release candidate (at the time of the contest) of the following products:

  • Microsoft Internet Explorer
  • Apple Safari
  • Mozilla Firefox
  • Google Chrome

TippingPoint ZDI says Each browser will be installed on a 64-bit system running the latest version of either OS X or Windows 7.

Hacker exploits IE8 on Windows 7 to win Pwn2Own ]

On the mobile device side, the 2011 Pwn2Own contest organizers have increased the attack surface to allow attacks against the cell phone basebands.

The targets this year are:

  • Dell Venue Pro running Windows 7
  • iPhone 4 running iOS
  • Blackberry Torch 9800 running Blackberry 6 OS
  • Nexus S running Android

TippingPoint ZDI says a successful attack against these devices must require little to no user interaction and must compromise useful data from the phone. Any attack that can incur cost upon the owner of the device (such as silently calling long-distance numbers, eavesdropping on conversations, and so forth) is within scope.

UPDATE:

In response to some criticisms from security researchers on Twitter, the conference organizers have modified the Google Chrome portion of the contest to offer different prizes for security holes in Google-written code and other non-Google code.

Here's the change:

On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.

Topic: Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

41 comments
Log in or register to join the discussion
  • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

    That's either really brave, or really stupid - only time will tell.

    If the exploit has something to do with Flash it will be ironic.
    jeremychappell
    • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

      @jeremychappell

      Most exploits come from third party software.
      The one and only, Cylon Centurion
    • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

      @jeremychappell Plugins are not in scope. Kernel bugs will be allowed on the second and third day if no one can bypass the sandbox without them.
      dirtybit
    • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

      @jeremychappell

      It's cheaper than Google doing real quality control ;-)
      tonymcs@...
      • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

        @tonymcs@ lol? research?
        DevonS
      • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

        @tonymcs@... Amen to that.
        nix_hed
    • It is a drop in the bucket for Google, they should offer $100,000 to get

      more people trying.
      DonnieBoy
      • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

        @DonnieBoy true that, because if an exploit is that difficult it is worth more than 20k on underground sites
        Jimster480
      • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

        @DonnieBoy That's actually a good price for motivating people and close to the going rate.
        DevGuy_z
      • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

        @DonnieBoy

        Agreed. Larry and Sergey can spend $20K on shoelaces...
        elt10@...
    • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

      @jeremychappell It's neither... They know someone will exploit chrome, and 20,000$ is chump change to them. Doing this builds good will with the security research community and helps their brand in terms of showing that they're transparent.
      snoop0x7b
    • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

      @jeremychappell Mmm, I think it is a good idea, regardless of whether anyone finds anything. If someone does then it has become that much more secure.
      DevGuy_z
    • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

      @jeremychappell
      Its a smart move. It would cost much more than $20K to hire good hackers to perform penetration testing of this caliber. They have nothing to lose because chrome notebooks haven't gone mainstream yet so this will either have no effect or give the chrome notebooks a lot of publicity.
      rengek
  • So do they have to bypass Protected Mode for IE?

    "According to TippingPoint ZDI, the contest sponsor, a successful Chrome hack ?must include a sandbox escape? "

    "Kernel bugs and plugins other than the built-in PDF support are all out of scope for Chrome, TippingPoint ZDI said."

    Does this mean that a successful IE hack must include a Protected Mode escape? And cannot use Windows kernel bugs or plugins either? I haven't been able to find out whether the previous Pwn2Own hacks of IE8 bypassed Protected Mode or not...
    PB_z
    • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

      @PB_z Bugs in plugins aren't allowed for any browser afaik. Chrome is unique in that plugins run in a seperate process so you can't use them to JIT spray etc.
      dirtybit
    • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

      @PB_z
      Two researchers found ways to disable DEP, (data execution prevention) and ASLR (address space layout randomization) to bring browser down.
      choyongpil
      • DEP ASLR has nothing to do with the IE sandbox

        @choyongpil <br>DEP + ASLR are techniques which makes it considerably harder - even theoretically impossible for some classes of vulnerabilities - to get attack code to run by exploiting a memory corruption vulnerability.<br><br>Protected mode (a sandbox) is a next-line defense which limits what the browser process can do *if* it is ever compromised.<br><br>The previous years the competition has been designed such that the attacker didn't need to escape the protected mode sandbox to win the prize (IE's protected mode limits write-up not read-up through the integrity levels - usual account limitations still apply)<br><br>PB_z's question is legitimate in that it is interesting whether different standards are being applied. As I understand it, Google's prize is a special side-competition outside the official one and thus they can set whatever rules they feel. <br><br>I would like to see a special price if the attacker can demonstrate ability to *write* with the user's permissions or in other way change the system state. IE's sandbox is rather sophisticated in that it may actually allow processes (e.g. Flash) to spawn new processes, <i>but the new processes will inherit the integrity level</i> and be constrained in the same way as the original process. Previous years you had to demonstrate ability to run code to read a file, but they didn't require the attacker to run that code in normal integrity.<br><br>Back to DEP+ASLR: What the two researchers showed was that when the attacker is allowed to control large portions of the process memory he may be able to bypass DEP and ASLR. In the case of browsers (every browser, not just IE) they unfortunately inherently allow the attacker to do just that: When you allow flash objects, applets and JavaScript to run the attacker can often fill up the memory and control the layout enough to create reliable bypasses. DEP+ASLR are still *very* effective in back-end processes/services where the attacker has limited control over memory. Think web servers, file servers etc. In browsers, DEP+ASLR (and other techniques) are still enough of a obstacle that attack code will come stumbling out from the bypass. They raise the barrier a little, but it is indeed correct that they are not impossible to bypass (in browsers).
        honeymonster
  • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

    Yay, new Google Chrome patches should be out by March 8th, midnight!
    TechNickle
  • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

    This is why I use Opera. These hackers themselves use Opera and know that's where real security lies.
    Mark Str
    • RE: Pwn2Own 2011: Google offering $20,000 for Chrome sandbox exploit

      @mgillespie Uh... No. These people use a variety of browsers for various reasons, there is no "the official browser of pwn2own". Opera has its own share of security related bugs just like everyone else.
      snoop0x7b