Pwn2Own 2012: Google Chrome browser sandbox first to fall

Pwn2Own 2012: Google Chrome browser sandbox first to fall

Summary: Exploit writers at VUPEN take special pleasure in attacking Google's Chrome browser, using a pair of zero-day flaws to defeat the browser's heralded sandbox.

TOPICS: Browser

VANCOUVER -- At last year's CanSecWest Pwn2Own hacker contest, Google Chrome and Mozilla Firefox were the only browsers left standing.   This year, Chrome was the first to fall, thanks to an impressive exploit from a team of French hackers.

VUPEN, the controversial company that sells vulnerabilities and exploits to government customers, deliberately took aim at Chrome this year to send a simple message: no software is unbreakable if hackers have enough motivation to prepare and launch an attack.follow Ryan Naraine on twitter

VUPEN co-founder and head of research Chaouki Bekrar and his team used a pair of zero-day vulnerabilities to take complete control of a fully patched 64-bit Windows 7 (SP1) machine.   As part of the new competition format, VUPEN will earn 32 points for the successful Chrome exploit.

[ SEE: Charlie Miller skipping Pwn2Own as new rules change hacking game ]

In an interview, Bekrar said his team worked for about six weeks to find the vulnerabilities and write the exploits.  "We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox."

Bekrar declined to say if any of the exploits targeted third-party code in the browser.  "It was a use-after-free vulnerability in the default installation of Chrome," he said. "Our exploit worked against the default installation so it really doesn't matter if it's third-party code anyway."

Last year, VUPEN released a video to demonstrate a successful sandbox escape against Chrome but Google challenged the validity of that hack, claiming it exploited third-party code, believed to be the Adobe Flash plugin.

[ SEE: CanSecWest Pwnium: Google Chrome hacked with sandbox bypass ]

At Pwn2Own this year, Bekrar's team came equipped for zero-day flaws for all four major browsers -- Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox -- but he said the decision to go after Chrome first was a deliberate tactic.

"We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome.  We wanted to make sure it was the first to fall this year," he said.

During the hack,  Bekrar created a web page booby-trapped with his exploit.  Once the target machine visited the page, the exploit ran and opened the Calculator (calc.exe) app outside of the sandbox."

"There was no user interaction, no extra clicks.  Visit the site, popped the box."

VUPEN will sell the rights to one of the zero-day vulnerabilities but the company says it won't give up the sandbox escape. "We are keeping that private, keeping it for our customers."

Even as he basked in the glory of defeating the highly touted Chrome sandbox, Bekrar was very complimentary of the work done by Google's security team to add anti-exploit mechanisms into the browser.

"The Chrome sandbox is the most secure sandbox out there. It's not an easy task to create a full exploit to bypass all the protections in the sandbox.   I can say that Chrome is one of the most secure browsers available."

"This just shows that any browser, or any software, can be hacked if there is enough motivation and skill," he added.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The time has come.

    That cash prize Google offered seemed to be enough to make it happen. Either that or Google's smug attitude about being the last browser standing last year.
    • Pwn2Own

      Actually, Google isn't participating in Pwn2Own. They pulled out because according to the new rules contestants don't have to reveal how they cracked the browser (which was the main reason Google was interested in the competition). Google is hosting their own separate competition for the Chrome browser instead.
    • Yep.

      I'd go with the latter. It all comes down to this; "You want to beat the team with the best reputation first, or pick on a 'nobody'?"

      We all know the answer. You can't read much into this.
      • Agreed, but now all the Apple haters have lost thier favorite ammo...

        The Apple haters can no longer say that Apple was the first to fall at Pwn2Own... Nothing to gloat about... It's gonna be a sad year for them. Especially since they just ate a huge helping of iPad3 crow and will get to eat more of it as more and more tablets fail. :(

        It's a sad time to be an Apple hater but a very good time to be a consumer.
      • Agreed as well.

        Chrome had a bullseye on it this time. Quite fascinating though that they found a way around the sandbox, and were still complimentary to the browser's security. That tells me it took them a lot of effort and deemed Chrome a worthy foe.

        What this does reinforce is that nothing can withstand a determined attacker, whether it be physical defences or virtual ones. Defence in depth is the only way to go about it, and even then...
      • apple vs google

        The difference is that google never proclaimed themselves to be bullet proof and don't get viruses or exploited. They put out products to try and make themselves more bullet proof but they never kid themselves by selling you a snake oil that proclaim invincibility.

        Apple on the other hand have spent years telling you exactly that they don't have nor do macs get viruses which is so blatantly stupid only drones can't see the difference.
    • It wasn't google who was smug

      google made no smug response to being the only browser standing last year. Thats just your intrepretation of it. Google not once hoisted any flags about it. The smugness came from people defending chrome not google. Vast distinction there.
  • hmm, sjvn always writes chrome news first

    not this time.
    • Because it does not hold his love in a positive light

      He only writes skewed positive stuff about Google and Linux and Lies and Made up stuff to portray companies he does not like as bad.
    • sjvn is utterly biased

      Exactly my thoughts when I read this! sjvn may still come up with his own take on it - that the code was third party, not really a chrome exploit but Win7 problem, blah blah.. Only if the writers could be more objective, blogs would be a better reads and the writers themselves would earn trust of readers.
  • Nice

    ???We wanted to show that Chrome was not unbreakable. Last year, we saw a lot of headlines that no one could hack Chrome. We wanted to make sure it was the first to fall this year,???

    Well done.
  • We are keeping that private, keeping it for our customers.


    Is he admitting to supporting criminal activities?
    • Sounds 100% like it

      Nobody wants to help a big company like Google for free.
      • They wouldn't be helping Google for free.

        They wouldn't be helping Google for free.
        The winners of the contest receive cash prizes and the device they crack.

        In my opinion, crackers should be legally obliged (maybe they already are?) to give their methods to vendors (but not necessarily to the public.) This way, the exploits can be patched and we can all feel safer as a result. If hackers are allowed to sell exploits to governments or other parties, but not obliged to give their exploits to vendors, then that gives these parties the power to crack into our devices, which should worry us all.
        Jonathan Baldwin
    • Did you read what his company does?

      He sells vulnerabilities he finds to parts of the government.
      • I read it,

        but since its a French Company and they're openly "threatening" to sell vulnerabilities to governments while not openly disclosing them with the vendor, I'm wondering how easily law enforcement could detain them in North America? Pretty easy to no-fly them if nothing else which would make it difficult to get back home. You do see how this could go very poorly for them unless they have some sort of immunity deal with the Canadian and US Govts?
    • It does read that way

      doesn't it?
      William Farrel
  • impressive

    this will stop google propaganda about its half_a** products for a while.
    • Dear retard,

      Are you an idiot? The guy himself admitted that Chrome is the most secure browser available. The only reason Chrome fell first is because this guy spent a whole year coming up with a way to hack Chrome, and went for it first.
      • Selective quoting there.

        It took them [b]six weeks[/b], not an entire year, to come up with the exploit.

        And his quote was, "I can say that Chrome is [b]one of[/b] the most secure browsers available." Not that it was [b]the[/b] most secure, just one of the more secure. And more telling is that they specifically said they were able to do it on a [b]default[/b] Chrome installation -- no hacking of a 3rd-party add-on that introduced a vulnerability, but a vulnerability existing [b]by default[/b] in Chrome.

        I'll agree, though, that I'm not surprised. It's computer code, after all, & code is only as good as the programmer behind the code. The programmers are all human, therefore they have the potential to make mistakes; ergo, the chances of Chrome's code being 100% free of errors or exploits is just about zero.