A Tale of Two Pwnies (Part 1)

Hungry Man · May 22, 2012

http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html

Just over two months ago, Chrome sponsored the Pwnium browser hacking competition. We had two fantastic submissions, and successfully blocked both exploits within 24 hours of their unveiling. Today, we’d like to offer an inside look into the exploit submitted by Pinkie Pie.
Click to expand...

He had to use quite a few bugs. It's interesting to track the exploit as it jumps between the sandboxes.

In an upcoming post, we’ll explain the details of Sergey Glazunov’s exploit, which relied on roughly 10 distinct bugs. While these issues are already fixed in Chrome, some of them impact a much broader array of products from a range of companies. So, we won’t be posting that part until we’re comfortable that all affected products have had an adequate time to push fixes to their users.
Click to expand...

Noob · May 22, 2012

I feel Wilders is getting too technical lately. HAHAHA
Although i read the whole article i only understood like a half of it.

Hungry Man · May 22, 2012

The technical explanation was nice. Even if you don't know that kinda stuff you can still see it was: (dumbed down)
1) Launch Native Client Plugin through a flaw in Prerendering
2) Use NaCli GPU access to exploit the GPU process
3) Use GPU process to ROP and execute code within the GPU sandbox
4) Move from GPU sandbox to weak renderer sandbox
5) Move from weak renderer sandbox to extension manager
6) Exploit a bug in extension manager to register an NPAPI extension

and, of course, at that point they can execute code through the NPAPI.

Quite a few bugs/ exploits had to be chained together along with making use of universal non-aslr on Windows.

Log in or Sign up

A Tale of Two Pwnies (Part 1)

Hungry Man Registered Member

Noob Registered Member

Hungry Man Registered Member

Log in or Sign up

A Tale of Two Pwnies (Part 1)

Hungry Man Registered Member

Noob Registered Member

Hungry Man Registered Member

Useful Searches