Is Google Chrome truly that vulnerable?

Discussion in 'other anti-malware software' started by CoolWebSearch, Jul 6, 2014.

  1. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Regarding the subject, people...

    Can anyone say whether Chrome blocks code injection -- I'm specifically thinking of CreateRemoteThread?

    If so, how? Does it work on XP, or is that where Chrome is weaker on XP lacking Integrity Levels?

    If it's relying on Integrity Levels, then CreateRemoteThread is still possible from Chrome (exploit) to processes of same or lower Integrity?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You can not call createremotethread (CRT) from a Chrome renderer. Or, rather, you can probably call it but it won't do anything.

    1) You can't CRT something of an integrity level above you. Chrome is untrusted, so it can only do that to other untrusted processes.

    2) You can't CRT something of a separate user from you (unless you are Admin) - Chrome renderers run as separate users.
     
  3. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Thanks HM, I didn't realize Chrome runs anything as separate users -- what user does it use? And that doesn't affect communication with the broker process, etc.? Does it also run like that on XP?

    Yeah, I knew about Integrity Level restricting CRT :), but that doesn't apply on XP. Is CRT still blocked on XP?

    I was just wondering if it only used Windows' mechanisms (yes it seems, at least Vista+) or something else.

    Several months ago I was playing on XP restricting as much as I knew with limited knowledge (Restricted token, all Job restrictions, etc.), but I couldn't stop CreateRemoteThread from working! (Although programs were broken otherwise :p without a broker/proxy, of course...)

    Is there any good way to block CRT on XP?
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I double checked. On Windows it uses the standard (your) users token, actually. Interesting. On Linux the renderers are all run as separate non-existing users.

    I don't know about on XP. User separation is the ideal method for restricting this, but I suppose their sandbox method doesn't permit that.

    I've used CRT but only ever on Windows 7.
     
  5. guest

    guest Guest

    Vulnerabilities patching was not included in my statement. By "point A" I meant the attack was being stopped right when the attacker was attempting the intrusion.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,688
    Location:
    The Netherlands
    Yes correct, wit additional configuration, you can make SBIE stop payloads from running. And even if the malware is running in the sandbox, it would not be able to write to the file system and registry, and could not inject code into other processes, unless it could escape the sandbox or perform a "privilege escalation". I do wonder though if a banking trojan that is running sandboxed, would still be able to hijack the browser. :)
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,341
    Location:
    Outer space
    I don't have deep knowledge of Sandboxie, but if it is running in the same sandbox, why not?
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There's nothing stopping it.
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,681
    Location:
    Nicaragua
    As I understand it, for your browser to be hijack, you have to install a malicious addon. If your addons are well known and you are using a sandbox with internet access restrictions where only Firefox can connect, the trojan that gets downloaded into the sandbox can run but wont do nothing else. If in addition to internet access restrictions you are also using Start/Run restrictions, the trojan wont even start. Bottom line: as a SBIE user, be careful about the addons that you install.

    Bo
     
  10. blasev2nd

    blasev2nd Registered Member

    Joined:
    Mar 27, 2014
    Posts:
    47
    I have the opposite question,
    is Google Chrome (without any add on) truly that invulnerable?

    ps: maybe I should open new thread?
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    No software is truly invulnerable, particularly Internet-facing software like web browsers. However, I do think that Google and the Chromium developers thought of security first when it came to creating Chrome/Chromium with regards to the fast and frequent updating, sandboxing, etc. They take security seriously and patch quick.


    Example: at Pwnium 2 (back in 2012) there was an exploit presented for a sandbox escape.
    See: http://blog.chromium.org/2012/10/pwnium-2-results-and-wrap-up_10.html

    Chromium Projects Core Principles: http://www.chromium.org/Home/chromium-security/core-principles
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    @bo elam
    A malicious extension is one method. Maliciously patching files / just writing to files that already exist can be enough to get persistence within a sandbox.

    @blasev2nd
    On Windows Chrome is still limited by the kernel - it can reduce kernel attack surface in some interesting ways, but the Windows OS is just big, undocumented, attack surface.

    On Linux things are quite a lot better. Even the very few attacks we've seen on ChromeOS can be prevented on Linux systems in various ways.

    Of course, a bug like the Futex bug is exploitable from a locked down renderer and it's a special type of, essentially, unstoppable vulnerability.
     
  13. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,681
    Location:
    Nicaragua
    Patching malware goes for Windows files not Firefox. An infected sandboxed copy of a Windows files in a restricted sandbox, can not run, can not connect and I don't see how it can use (hijack) Firefox to do its thing. I looked around a little bit and I couldn't find anything about any malware of this kind that infects Firefox.

    Bo
     
  14. blasev2nd

    blasev2nd Registered Member

    Joined:
    Mar 27, 2014
    Posts:
    47
    ok so it depend on the os, I was using chrome on mac os.
    Didn't really like that the fact it call home, at least three times a day.
    Maybe checking for update or something else, and that's to many for my taste.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    @bo elam

    It is possible to write to seemingly benign data files in order to gain persistence in a program. I don't know of any malware that does this.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,688
    Location:
    The Netherlands
    Yes correct, there are not a whole lot of tools that can protect against malicious extensions at the moment. But I was thinking of banking trojans like Zeus. In theory you would be able to run it sandboxed, but will it also be able to inject into/modify memory of the sandboxed browser? :)
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,688
    Location:
    The Netherlands
    I must say that the last couple of days I noticed that some other products like VoodooShield and MBAE are also using "patented" technology, this is getting a bit weird, how the heck can you patent software. Anyone could code the exact same protection into their own product. I wonder, what if Tzuk had patented Sandboxie in 2004, could other companies still have launched competing products like BufferZone and SafeSpace? :cautious:
     
    Last edited: Sep 1, 2014
  18. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,681
    Location:
    Nicaragua
    I think the best protection against malicious addons is you, the user, Rasheed. Don't install addons that are not well known, popular and get rid of the ones that you don't use. Thats what I do. In W7, I don't have any plugins installed in my computer and only 3 extensions. In Xp, I have one plugin and 4 extensions. If I don't use an addon on a regular basis, I get rid of it.

    I basically never install anything new in my computers but if I was to do so, sandboxed or not, I am extremely careful about anything that's bundled with the program that I am installing. Sometimes I install addons sandboxed for temporary use, even when I do that, I use the addon and delete the sandbox immediately after using it. And I always do it in a restricted sandbox with my personal files and folders blocked or hidden from programs running in the sandbox. Malicious addons don't bother me.:)

    Bo
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,688
    Location:
    The Netherlands
    @ bo elam

    Yes I know, but what I was trying to say: I wonder how banking trojans will behave inside the sandbox. I´ve read a bit about them, and I have a feeling that they won´t be able to run in the sandbox, but I´m not sure. :)
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Current trojans will likely fail. An attacker who takes the sandbox into account will likely succeed, without breaking out of it. Anti-Executable aspects of software like Sandboxie necessitate a little bit of cleverness, but nothing revolutionary.
     
  21. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,681
    Location:
    Nicaragua
    Rasheed, I think you can test Sandboxies Start Run restrictions and banking trojans going to MDL. You wont find one trojan able to run in a Start Run restricted sandbox but if for some reason, ONE gets to run, it will not install sandboxed if you are also using Drop Rights. I think its a boring test but trojans against Sandboxies restrictions can be easily tested.

    Bo
     
  22. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,681
    Location:
    Nicaragua
    Even if you can find a trojan named firefox.exe and run it or download it in a restricted sandbox where only firefox.exe is allowed to run, the trojan wont run. :)

    Bo
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,688
    Location:
    The Netherlands
    @ Hungry Man and bo elam

    Of course I´m now talking about stuff that could happen "in theory" because I also don´t think that advanced banking trojans like Zeus will be able to run inside the sandbox (even when run manually, not by exploit) given the many restrictions. But does SBIE allow code injection from on sandboxed process to another? I can´t test it right now, that´s why I´m asking. :)
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,688
    Location:
    The Netherlands
    I have asked a developer about how anti-exploit tools work, and I was right, they do indeed make use of IAT and inline hooks. This way they are able to detect attacks inside memory and control "process execution flow", I guess. :thumb:
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I don't believe a sandboxed process can inject into any process outside of the sandbox.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.