Google Chrome pwned in final Mobile Pwn2Own hack

Google Chrome pwned in final Mobile Pwn2Own hack

Summary: After day 1 saw the compromise of iOS 6 and 7 through Safari and the Samsung Galaxy S4 through Samsung apps, Google Chrome on the Nexus 4 and Samsung Galaxy S4 was fully-compromised. The competition is now over. [UPDATE: The bugs are fixed.]

SHARE:
TOPICS: Security
21

Google Chrome is the last product to fall in Mobile Pwn2Own 2013, sponsored by HP's Zero Day Initiative. Yesterday, on day 1 of the 2 day competition at PacSec Tokyo 2013, iOS 6 and 7 and the Samsung Galaxy S4 were hacked.

Chrome was taken down by "Pinkie Pie" (no further identification is provided). The attacks were demonstrated first on a Google Nexus 4 and then on a Samsung Galaxy S4.

[UPDATE: Google has already patched the Chrome bugs demonstrated by Pinkie Pie.]

Pinkie Pie won the full $50,000 award for using two vulnerabilities in Chrome, first an integer overflow to get remote code execution, then another unspecified vulnerability which resulted in a full sandbox escape. The vulnerabilities have been reported to Google.

These vulnerabilities would allow an attacker to take full control of the device.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • their selection is impeccable

    iOS 6, iOS 7, Android (Samsung), Chrome. Anybody using any of this stuff?
    greywolf7
  • *Nix

    Pfft ...

    What I want to know is how the BlackBerry smartphone running QNX, which sports a true micro-kernel, fared. Did any of the contestants give it a go?
    Rabid Howler Monkey
    • Me too, but nothing complex is likely invulnerable

      Unlike some I definitely believe in security through obscurity. The reason is based on understanding the mal-ware sub-culture. The more popular a system is the more it will be attacked. Right now QNX is pretty safe but if it became popular it will become less so.
      DevGuy_z
  • Sorry - this can't possibly be true

    I mean ... we hear here so often that open source software can't possibly contain any bugs or vulnerabilities due to the 'many eyes' reviewing it and making sure there are never any weaknesses that could be exploited.

    Those of us with a little more experience (mixed with a dash of hard-won cynicism) have been pointing out that this oft claimed 'fact' is in FACT, nonsense.

    Making software secure is really, REALLY, **REALLY** hard. Google, Mozilla, Microsoft, Opera, etc. have spent years making their products as secure as possible and yet they're routinely penetrated by independent 3rd parties.

    This should be more than enough to disavow even the most focused fanboi that security is easy and that should 'just fix their code to be entirely secure'.

    Or, as I am sure we'll soon hear in this and related threads, perhaps not.
    bitcrazed
    • Agreed

      'nuf said
      DevGuy_z
    • so let's wait for the expliots

      in the wild of Chrome on Android then, shall we? Since IE's on Windows are known since... the dawn of IE on Windows.
      eulampius
    • bitcrazed: "open source software"

      Careful, because neither iOS nor Android as used on Open Handset Alliance devices are purely open-source. iOS has open source underpinnings from BSD, including elements of TrustedBSD which is used for iOS sandboxing. The iOS sandbox was not breached in this go-round. Safari, which is based on open source WebKit, is a proprietary web browser.

      As for Android, the only fully open source Android version that I am aware of is from the Replicant Project. Also note that Samsung's apps, which were breached in this go-round, are proprietary.

      An example of secure open source software is the OpenBSD project which has a code auditing team comprised of between 6 and 12 individuals that has operated since 1996. THAT'S hard work. And it's not many eyes. But install X.org, a desktop environment (KDE), a web browser (Firefox or Chromium), an email client (Thunderbird), an office suite (LibreOffice), etc. and it's a whole new ball game as NONE of these projects put the effort into auditing their source code that the OpenBSD project does.
      Rabid Howler Monkey
      • do you know if

        which privileges the exploit gets granted with this? With what we know so far, I can speculate, that since there are no Android specific exploitations mentioned as well as any Linux kernel ones (or at least they are not voiced yet), the Android sandbox system must have not been breached there.
        eulampius
        • Did you read the article? It says very plainly

          "another unspecified vulnerability which resulted in a full sandbox escape"
          Johnny Vegas
          • I did, Johnny

            Despite the scarcity of this info, you need an Android or a Linux kernel vulnerability to elevate the privileges of a uid. No such elevation has been reported.
            Chrome/ium is designed with its own sandbox it uses even on Windows or any other platform. You can escape that, I suppose, and run a calculator, yet still with the Chrome's rights only.
            Just, in case you know some basics of the POSIX uid's/gid's stuff and Android's design.
            eulampius
          • The article also said

            "These vulnerabilities would allow an attacker to take full control of the device."

            If taking full control of the device does not involve compromising the Linux kernel, I bet those guys just did not bother.

            In UNIX speak, "escaping the sandbox" usually means running as root.
            danbi
    • Not sure if Larry has reported on this already:

      "Researchers Abdul Aziz Hariri and Matt Molinyawe from Hewlett-Packard's Zero Day Initiative (ZDI) team, which organized the contest, demonstrated an Internet Explorer 11 exploit on a Microsoft Surface RT device running Windows 8.1."
      quoted from pcworld.idg.com.au
      eulampius
    • easy

      Who said both Android and Chrome are open source?

      With regards to making something secure. There is an old saying in these circles: You never lock valuables in a safe, that itself costs more.
      You always need to evaluate the costs security brings, related to the value of what you try to protect.
      danbi
  • could be the first exploit on Android

    so far. Yet so many things are unknown. The details of this are also not available at the moment. I am, in particular, curious whether the Android's own sandbox is escaped, i.e., whether the executed code was run with the same uid as Chrome's?
    Maybe pushing the enforced policies of SELinux on Android need to be expedited.
    eulampius
  • private browsing in chrome and its merits

    Many people still dont know and understand why they should use incognito mode and how to use it. So I wrote a simple guide explaining its merits. Please share with others.

    http://t.co/uLAyKGE0rd
    Gaurav Bidasaria
  • Were they running KitKat, with an SELinux profile active?

    Be interesting to hear what the OS/config of the Nexus and G4 devices were ... I've been hearing that KitKat turns SELinux from permissive (basically, reporting on actions that would have been blocked) to enforcing. No idea if Chrome has a profile established, though.

    If the attacker found a way to bypass active SELinux access controls - THAT would be something.
    daboochmeister
    • Doubtful that the Samsung S4 and Nexus devices were running Kit Kat

      Kit Kat for the Nexus 7 and 10 was made available for download just a couple of days before the competition began. And AFAIK it has not yet been released for the Samsung S4.

      It will be interesting to see how the various Open Handset Alliance handset manufacturers and AOSP derivations such as Amazon's Kindle Fire HD handle SELinux policy for their devices. Will they use Google's default policy on their devices, modify it in some way or simply disable it? And will Google's default SELinux policy be included in AOSP?
      Rabid Howler Monkey
  • As it stands

    From all platforms tested, only iOS survived. That also includes iOS 6, which some here claim still contain lots of security vulnerabilities. As expected.
    danbi
    • Huh?

      ". Yesterday, on day 1 of the 2 day competition at PacSec Tokyo 2013, iOS 6 and 7 and the Samsung Galaxy S4 were hacked."
      radleym
    • What?

      Did you even read the summary? The FIRST line under the title: "Summary: After day 1 saw the compromise of iOS 6 and 7 through Safari ....."

      iOS6 and iOS7 were compromised on day 1.
      benched42