

A Tale of Two Pwnies (Part 1) - tkazec
http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html

======
tptacek
What's amazing about this bug is that at every step you learn something that
makes Pinkie Pie more terrifying while _simultaneously_ making the Chrome
security model sound more and more forbidding.

~~~
Natsu
And the worst is yet to come....

\---

In an upcoming post, we’ll explain the details of Sergey Glazunov’s exploit,
which relied on roughly 10 distinct bugs. While these issues are already fixed
in Chrome, some of them impact a much broader array of products from a range
of companies. So, we won’t be posting that part until we’re comfortable that
all affected products have had an adequate time to push fixes to their users.

~~~
zobzu
The post is great in itself (clear and easy) but the constant marketing speech
about how great Chrome is regardless of the bugs gets on my nerves to be
honest. Yes Chrome is a very good browser, but I don't have to read that every
paragraph in various forms... specially for tech articles.

It also looks like to me that devs commit code in a more lazy way since Chrome
has a strong sandbox model for various components. But as a result, it seems
easier to find many bugs that, when combined, bypass the sandbox, as show.

Just my 2cts ;-)

~~~
tptacek
There is no way to explain how awesome Pinkie Pie's exploit is without
simultaneously explaining how intricate Chrome's security model is.

A great way to market a browser is to have a security model so
interesting/effective/intricate that any description of a working exploit will
also serve as marketing.

~~~
zobzu
I disagree. Marketing does not have to be in _every_ _damn_ _blogpost_.

It's just annoying ;-)

While they attempt (and apparently succeed) to make you believe that
exploiting Chrome is exceptional and it's such a super high security program:

The bottom line is, 2 guys showed up with a complete remote exploit of Chrome.
And there are more exploits that are obviously unreleased, and some that will
get released each year.

That is the true bottom line.

So again, while the article is _nice_ and _clear_ , the exploit is a _good_
pony job as well - the marketing behind it makes the read annoying. It's a
trend and it's not just Google. You even justify is as if marketing was a
_required_ thing to have and if you don't try to do it, you're just missing
out. Well, I digress.

~~~
obtu
The only place I see some rhetoric is the second sentence of the first
paragraph, the second paragraph, and the first sentence of the second to last.
It's tame: it emphasises the exploit being very involved, which is well
supported by the rest of the report. Everything else is necessary detail that
describes the progression of the exploit from Pinkie Pie's point of view.

Your contributions, on the other hand, are much more content-free, being
mostly value judgements against Chrome's PR or the supposed overconfidence of
their programmers. And while you do brush on more technical matters, you do so
by name-dropping products rather than being informative and describing the
relevant security property.

------
pilif
In the end it all boiled down to old-style plugins. All the exploits were used
to finally install and run an old-style NPAPI plugin.

Just like ActiveX, these are binary code that usually runs outsidE of any
sandboxing due to compatibility reasons.

With NaCL or just the advances in HTML and related technologies, this kind of
plugin really should have outlived its usefulness by now and maybe it's time
to drop support - at least support for all plugins but a few whitelisted ones
from the older ages.

Like Flash and maybe QuickTime (though both have a terrible security track
record).

Though considering the persistence of piling up bugs that was happening here,
for all we know, there would have been a different exploit somewhere else that
could have worked even without NPAPI. It would just close one more attack
surface.

~~~
aboodman
Wait until you see the other one. There are a surprising and depressing number
of ways to get a browser to run native code on legacy operating systems.

Yes, plugins should go away. No, that won't stop this kind of thing :/.

------
picklefish
I'd love to see a writeup from Pinkie Pie on the steps and tools he used to
find these bugs. Reversing write-ups are always entertaining to read.

------
Jun8
So for about $120K+ they had more than 16 significant bugs discovered in
Chromium. That's really cheap!

------
mark-r
If you don't have a young girl you might not appreciate the link between
"Pinkie Pie" and "Pwnie": <http://mlp.wikia.com/wiki/Pinkie_Pie>

~~~
CrazedGeek
Somewhat OT, but the show has a fairly sizable periphery demographic (males
13-35), which I would guess the hacker considers himself a part of. More
information: [http://knowyourmeme.com/memes/subcultures/my-little-pony-
fri...](http://knowyourmeme.com/memes/subcultures/my-little-pony-friendship-
is-magic)

~~~
btown
Pinkie's not the only brony hacker either. Consider this Rainbow Dash fan:
[http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_c...](http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/)
... and in general, there are a plethora of bronies scattered across the
startup world and CS academia (full disclosure: myself included).

------
moistgorilla
This really takes you into the mind of a hacker(the malicious kind). Judging
from what I saw it seems they combine a ton of small exploits to produce a
major security breach. The amount of understanding of the underlying system
you need to have in order to put these exploits together is mind boggling.

What do we do against people like this?

~~~
lawnchair_larry
I don't like how you vilify him and call him malicious. Nothing about this was
malicious. He even gave it to google for far less than it was worth. This was
a legitimate audit and demonstration and it is wrong to associate anything
negative with it.

 _What do we do against people like this?_

You're asking the wrong question. Remember, he didn't put those bugs there. He
didn't break anything. It was already broken. He just found the hole by
reading exactly what you gave him.

What you should be asking is, how do we stop making software with
vulnerabilities. The goal is to make it so that there is no hole to find, not
to get rid of the hole-finders.

~~~
shmageggy
Just to play angel's advocate, your parent could have been referring to an
abstract malicious hacker, who would probably think the same way and use the
same techniques as Pinky. The "mind of a hacker (the malicious kind)" is
probably very much like the mind of Pinky, except for the parts governing
ethics. And he asks what to do "against people like this", not what to do
against Pinky himself.

But you are right, and it is valuable to point out that neither Pinky nor
Homakov nor any other talented whitehat are in no way malicious.

------
cnbeuiwx
This is a _real_ hacker. I wish I had this kind of passion and intelligence
myself. :)

------
jorgem
So crazy. I wonder how long it took to come up with that attack? There must
have been a ton of dead ends along the way.

~~~
wizzard
Well, if you start from the last step (I want to load an NPAPI extension
because I can gain control from one) and work backwards it seems a little less
like stumbling in the dark.

I liked the confirmation prompt bug though, that was icing on the cake.

~~~
jorgem
Backwards... smart!

------
jtchang
It is scary that once you have a foothold it just becomes a matter of time
until someone figures out how to use it to piggyback on to more unrestricted
space.

------
thereason
"a low level interface to the GPU command buffer"

This sounds cool. Is this a standard feature in Chrome?

~~~
obtu
It's available for extensions I think (there's also the higher-level WebGL
which you must be aware of), and requires whitelisted graphic drivers. As you
can see, graphic acceleration offers a huge attack surface (memory-unsafety in
C++ code, plus logic bugs at highly privileged levels like graphic drivers,
firmware, and the hardware itself). Some of these layers realistically won't
be protected until they have proper IOMMU support.

------
tobyjsullivan
Just... sick! Wow. Speechless.

