

Chrome exploit and sandbox escape demonstrated at CanSecWest, $60k awarded - lawnchair_larry
https://pwnium.appspot.com/

======
pvarangot
Well, it seems ZDI sort of missed the boat with their earlier statements about
60k not being enough.

Quote: _Due to our disagreement about the best way to get the most
vulnerabilities fixed, Google has withdrawn sponsorship of Pwn2Own. We
understand their reasons for doing so: they want to be able to receive the
sandbox escape details to improve the security of their product. That is why
they launched Pwnium. What we believe they fail to realize is that, for the
$60,000 they are offering, it is incredibly unlikely that anyone will
participate. For example, a quote from a prior Pwn2Own
winner:<https://twitter.com/#!/VUPEN>: "Google canceled its sponsorship of
#pwn2own and launched its own #pwnium. To win, report your sophisticated
exploit. We're not interested!"._

[http://dvlabs.tippingpoint.com/blog/2012/02/29/pwn2own-
and-p...](http://dvlabs.tippingpoint.com/blog/2012/02/29/pwn2own-and-pwnium)

~~~
drivebyacct2
I'm not big into the security game/community, but I really don't understand
the logic of "don't divulge how you break out of the sandbox = more exploits
get fixed". And I did read the source link and try to understand...

~~~
DrCatbox
Google just wants the work done for them. If you can make an exploit, you can
explain how it works and how to patch it. On the other hand if Google just
sees an exploit in action, they have to spend time reverse-engineering it to
find out how it breaks the sandbox and come up with a fix, that takes far more
time than just to require the working exploit.

~~~
alexchamberlain
They are paying you $60,000... Hardly exploitative! And it's legal!

~~~
lawnchair_larry
$60k looks like a lot less when you don't know going in that you'll even find
anything. It's potentially months of speculative work, and you stand a very
good chance of coming up empty handed. For not much less, anyone with this
skill set can have a guaranteed salary.

There is also the fact that anyone in the industry can make a few phone calls
and have a bidding war on this type of exploit that will go well into the 6
figures, possibly as high as 7 according to some. $1M sounds high to me
personally, but there is no doubt that it will fetch a few hundred thousand.

~~~
khuey
Taking the 60k from Google doesn't lead to spending several years of your life
in Federal prison, which is a significant risk with selling an exploit.

~~~
lawnchair_larry
Where on earth did you get the idea that there is something illegal about
selling exploits? Several companies exist that do exactly this, and they
operate in public, above board.

To my knowledge, the US government is the biggest buyer of unpublished
exploits. And they pay _a lot_ more than 60k. One well-known US-based company
is even run by a former NSA employee, and they're currently advertising a
remote pre-authentication exploit in the latest version of MySQL.

~~~
rand_r
Ignoring the US government, what legal use would a company have for un-patched
exploits?

~~~
trotsky
Penetration testing is the common answer, though that job description can also
be a bit of a euphemism.

It is also worth noting that breaking into the computer of a foreign national
that is located overseas is often not a crime in the united states, or is at
least considered very difficult to prosecute if it doesn't involve fraud,
financial transfers or a few other hot buttons.

------
dminor
Not surprised to see it's Sergey Glazunov - he's been awarded seemingly dozens
of Chrome bug bounties already.

------
Estragon
Anyone know which of the chrome sandboxes this was? If it was NaCl, I would
really like to know.

~~~
fjarlq
_"According to Justin Schuh, a member of the Chrome security team, Glazunov's
exploit was specific to Chrome and bypassed the browser sandbox entirely. "It
didn't break out of the sandbox [but] it avoided the sandbox," Schuh said in
an interview."_

[http://www.zdnet.com/blog/security/cansecwest-pwnium-
google-...](http://www.zdnet.com/blog/security/cansecwest-pwnium-google-
chrome-hacked-with-sandbox-bypass/10563)

~~~
Estragon
Thanks for the info.

------
cpeterso
Though Pwnium may (quietly) reveal exploits in Chrome, Google will
conveniently _not_ be featured in sensationalist headlines about Chrome being
hacked more quickly or often than other browsers at Pwn2Own.

~~~
Tobu
<https://twitter.com/VUPEN/status/177518987972849664>

~~~
lawnchair_larry
So for people as confused about this as I was, there are two similar but
distinct contests at CanSecWest right now. Google Chrome is a target in both
of them, and it has fallen in both of them.

This tweet refers to Pwn2Own, which is the one sponsored by ZDI, and which
VUPEN apparently won (without having to share their exploit). The other,
pwnium, is the Google-sponsored contest.

------
islon
I wish Microsoft did the same with IE. One can wish...

------
16s
At the risk of being downvoted, I'll point out that sand-boxes are virtual.
Virtual is pretend. Pretend things are easy to break and easy to fool. You
just make them believe that everything is still OK.

