Pwnium 2 Begins - Chrome Hacked Again

Discussion in 'other security issues & news' started by Hungry Man, Oct 10, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
  2. Reimer

    Reimer Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    217
    and fixed

    http://googlechromereleases.blogspot.ca/2012/10/stable-channel-update_6105.html

     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    No details yet on the nature of the exploit?
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    http://blog.chromium.org/2012/10/pwnium-2-results-and-wrap-up_10.html
    There's a talk on it but it's on Malaysian time so IDK when it's happening.

    Basically (my opinion) there was a remote code execution in the SVG filter code. He may have gotten into the GPU sandbox from there (hardware accelerated SVG filters) or not, probably just in the renderer process. From there he used a flaw in how the IPC between the renderer process and some other process works, potentially the broker process. After that he's out - you control the broker you get medium integrity access to the system.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Okay thanks! Good on Chromium to get a patch for it in a very timely manner :)
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yes. And if you're using Apparmor this is exactly the the type exploit it's good for.
     
  7. Go pinkie-pie!
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    So, basically, having the broker process running at a low integrity level would render the exploit useless...
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Probably. At that point the attacker would move from Untrusted to Low Integrity.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Only in a target attack, as I don't believe this is something that the vast majority of Google Chrome users use it. :D Not to mention, the user would need not to have any other line of defense against the exploit. :)
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Targeted or not the way it looks right now is that an attacker would control the broker process regardless of it's integrity. So if you run it at Low they run as low, there wouldn't be any need to change how the attack works afaik but no details are out yet.

    What other line of defense would you implement here? Just curious - sandboxie I guess?
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I haven't been using Sandboxie, except to try out software once in a while. But, it would be one possible solution. There are quite a few solutions that go from preventing the exploit from being triggered in the first place, and if it can't be triggered, then it can't do crap... to containing the payload, which would be where Sandboxie and the like fit in...

    Now, to what I use... well... those are secrets of the trade, I'm afraid. :D A "cook" can't share all the ingredients, now can he? :p
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I suppose not. Only curious though. I certainly know how I'd like to protect Chrome in theory on Windows the tools simply aren't there - hence the curiosity.
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What tools would you like to exactly see for Windows, and that would allow you to further increase Chrome's security?
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Something similar to Apparmor/ SELinux in some ways but different in others. Can't go too far into what I'd really like to see, honestly. But something to properly mitigate this would require something that can contain the broker process.
     
  16. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Wow Google must be the only browser developer that puts so much money into their browser security. :eek:
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Firefox has a security team as well that they pay. They also pay thousands of dollars through their bounty program.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Windows Integrity levels is a nice step in the right direction, but it doesn't seem to be nearly in the same league as Apparmor.
     
  19. Until we get a better system than the SSL certificate one then we are all doomed. They really have to come up with something better. I'm not sure what it is, Chrome is showing the way for how to secure a browser but there is still a lot to be desired.

    It doesn't matter how many exploits are found really, if your being MITM'd then your stuffed.
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    HSTS is the answer to most SSL woes.
     
  21. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    All HSTS does is stop tools like sslstrip, which is nice, but not enough to proclaim SSL would be bullet proof. It doesn't solve the CA certificate problem (rogue CA's, CA's getting hacked, etc). Nor does it stop attacks like BEAST or CRIME, both of which are a result of incorrect cipher mode usage or compression.

    IMO, the whole CA model needs to be scraped. We need something better like Monkeysphere, Convergence or the EFF's various proposals. Perhaps a combination of all of them.

    What I would also like to see is for NIST to hold a competition for a stream cipher (like they did for AES and SHA-3). RC4 is good, but it is very fragile. If you don't implement it just right and discard parts of the keystream, it can fall apart (as it did with WEP). It's also been around since 1987, so a lot has been learned since then. The community should take that knowledge and create new stream ciphers.

    What advantage does a stream cipher have over, say, AES? For one, speed is a big one. Second, you don't have to worry about "modes" like CBC, CTR, CCM, etc. The BEAST attack is only possible, not because AES is weak, but because using it in CBC mode has some problems. The BEAST attack doesn't affect RC4.
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Have a look at geswall. It is like acl/srp on steroids. It follows windows naming conventions,
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Convergence is already proposed to be built into the PKI SSL system.

    I think sslstrip is a much much bigger issue. To attack someone without sslstrip requires hacking your own certificate for MITM attacks. That's not that easy - or it doesn't have to be. With SSLStrip you're good to go - any non HSTS site is broken (ie: anything other than gmail and twitter pretty much, mayb eFacebook uses it now).

    @Kees,

    I'll have a look, thanks.
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    A programmer like you will recognice named pipes etc. Pitty it is only 32 bit
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    @HungryMan

    You asked m00nbl00d what else he would use other than Low IL on chrome. Why is that? Do you see Low IL as not restrictive enouh, assuming the exploit had full access to that low IL process?

    Sul.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.