Google Chrome Pwned by VUPEN aka Sandbox/ASLR/DEP Bypass

Just because you're hurt your favourite 1/0's were criticized doesn't make it trolling.

 

I don't really understand this post.

1) No it isn't. It's not simply repackaged with some plugins. If you've ever used Chromium there are some distinct features that are different. One of the most obvious features would be the autoupdate feature. Another clear difference is the automatic crash reports. There are some others in there.

2) Google isn't adding the abilities for plugins to break the sandbox but they are adding the plugins and those plugins are breaking the sandbox (in one case.)

Maybe I'm misreading what you're trying to say.

 

It was sarcastic, not sure if you picked up on that or not, but it's not really important.

I didn't really feel the need to elaborate on it much (because of it's sarcastic nature) but what is being broadcasted is quite simply, "Google do not modify core components of Chromium such as e.g. the sandboxing technology, for their own benefit, they add features such as what you have described, auto updating but also add plugins such as flash, which may or may not reveal underlaying issues with Chromium components such as the plugin API or sandboxing technology".

I don't think there's anything further (confusion aside) to debate on this topic?

 

The way I see it, this issue is not directly associated with Chromium, because it doesn't bundle Flash Player. Also, does any one know if Flash Player stand-alone versions would compromise Chromium?

Don't forget that the version that comes bundled with Google Chrome also as a sandbox of its own. Could this be what leaks first, and then for some reason, due to this dual sandbox thing, Google Chrome won't be able to contain the plugin in the low integrity level?

If this is what could be happening, then it's an issue that must be solved by both Adobe and Google (via Chromium, yes, considering it all starts here).

As VUPEN said, only they and whoever pays them will know what's involved, anything else is mere speculation.

 

The bug has to exist in flash to begin with, so yes this bug will almost definitely effect stand-alone versions. I would bet on it.

But Vupen has already said that it's a buffer overflow attack. That means it can be fixed in any of the three places:
Microsoft's DEP
Adobe Flash
Google's Sandbox

if any of those three are fixed... that's it, exploit's over.

 

I'm not considering the exploit itself, or what it will provoke. I'm considering just Adobe Flash Player and Google Chrome. And, yes, the issue starts with Adobe Flash Player. I didn't say otherwise. But, the rest are only mere guesses we all have.

1) Adobe Flash Player will make Google Chrome's low integrity level processes (the children) to run with the same integrity level as the broker (the parent process), be it high or medium integrity level.

2) How does it do that?

Is it an issue with Google Chrome's bundled version only? I ask only, because Google Chrome's version differs from the other versions, because it has a sandbox of its own.

3) Thinking about 2), is there a problem in how Google Chrome's Flash Player version implements its own sandbox, resulting in this bug that VUPEN exploited?

4) VUPEN said this exploit was possible due to Flash... but, it would be interesting to know where exactly the problem lies. But, VUPEN won't disclose it, unless the interested parties pay for it, and Google is not part of their partnership... so...

 

But yet we have people who seem to know exactly where the problem lies. And who feel that Chrome is nothing but branded Chromium.

 

We don't know exactly where it lies... but we do know the type of attack and the Chrome engineers believe it was flash based. We also know that the 10.3 flash update did NOT fix the security issue.

So what we know so far is that it's almost definitely a buffer overflow attack that uses flash. Other than that... we don't know anything. It's all speculation.

edit: From Vupen:

This is a LOT of information to give the Chrome team.

 

Here are some screens of Chromium in High IL when not supposed to be. Chromium was running when I opened PE here

so, I took a screenshot, then closed PE. Since PE is supposedly the issue, it not reading the IL correctly, when it restarts, it should read it fresh, wouldn't one think so? Here is when PE was opened perhaps 45 seconds later.

Nothing out of the ordinary in my browser, a few websites open as tabs. It was the last tap opened, this website, that was running at High IL, as when I closed it that thread went away and when I came back here in a new tab, it was at Low IL like it should be.


Sul.

EDIT: I have found how to recreate this High IL on child processes on demand. Anyone know how I can collect a bug reward ?

 

lol, check this out

with only 1 tab open to wilders. wow.

Sul.

thanks for the links JR

 

Saw you have jusched.exe running. Why? That's one thing that can safely be turned off if one is a regular @ Wilders. You'll know when the update's available.

And all the best with the security bug.

 

Sully, I wish you the best of luck!! I just hope that Google developers ... or Chromium's ... do not look the other way...

I've already reported to them, a few weeks ago, and I even provided them with screenshots, but they said it's a problem with Process Explorer.

I told them Process Explorer had no issues with IE or Adobe Reader... (They have brought these two into discussion.)

By the way, Sully when you right-click one of the child processes running with High integrity level, if you go the Security tab, what do you see?

-edit-

As you, I can reproduce these IL issues just fine... But, when I go to the Security tab, I see that the integrity level applied is Low. Not medium or high.

 

I usually turn that off. I recently restored my image and needed java for some things I do with my NAS boxes, so I threw it on. I will restore my image in a couple weeks anyway so not worrying about that right now

thanks for pointing it out though.

Sul.

 

I will check this and see.

Sul.