

Google Chrome Hacked? - vinhboy
http://www.vupen.com/demos/VUPEN_Pwning_Chrome.php

======
gchucky
Their site seems to be going down, so here's the text:

\---

Hi everyone,

We are (un)happy to announce that we have officially Pwnd Google Chrome and
its sandbox.

The exploit shown in this video is one of the most sophisticated codes we have
seen and created so far as it bypasses all security features including
ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it
relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works
on all Windows systems (32-bit and x64).

The video shows the exploit in action with Google Chrome v11.0.696.65 on
Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially
crafted web page hosting the exploit which will execute various payloads to
ultimately download the Calculator from a remote location and launch it
outside the sandbox at Medium integrity level. Note: The Calculator is used
here as an example, it can be replaced by any other payload.

While Chrome has one of the most secure sandboxes and has always survived the
Pwn2Own contest during the last three years, we have now uncovered a reliable
way to execute arbitrary code on any installation of Chrome despite its
sandbox, ASLR and DEP.

This code and the technical details of the underlying vulnerabilities will not
be publicly disclosed. They are shared exclusively with our Government
customers as part of our vulnerability research services.

The video in question is
[http://www.youtube.com/watch?feature=player_embedded&v=c...](http://www.youtube.com/watch?feature=player_embedded&v=c8cQ0yU89sk)

------
calloc
Unless Google is one of their customers it may actually be a little while
before this exploit is fixed. VUPEN does security research and doesn't
disclose to original vendors unless they happen to be customers.

I both love and hate them. They are extremely talented and find absolutely
awesome bugs that are hard to discover without a lot of work, and I hate them
because they don't disclose their work unless it is for money. While I can
understand that they have to make a living too, it just feels wrong to not
protect everyone in the world when possible.

~~~
xutopia
The reality is that there is probably no chance that they would ever find
these bugs if they weren't funded to do it and the only way to be funded is to
have customers.

The net result is probably safer software for all.

~~~
alanh
The net result in this case is the government owning a zero-day root exploit
for every Chrome/Win citizen’s computer. It’s worse than zero-day because we
have no reason to expect a patch, so the window of attack will stay open.

~~~
kin
Out of speculation, would this tie in at all to an article I saw on HN a while
back about the Government hiring 3rd parties to hack Google for some reason?

~~~
GrandMasterBirt
Is it wrong for our government to do any security research? I mean can good
things not come out of it? Be thankful it was reported.

~~~
kin
I never said if anything was right or wrong, nor did I assume any of it, I
just asked if it was related. Good to know curiosity gets flagged around here.

------
adrianp
I can understand their joy but the last sentence in the post and the Twitter
update: "Sorry Google...we have officially pwned Google Chrome and its sandbox
with a 0-Day." [1] seem rather unprofessional for the "world leader in
vulnerability research for defensive and offensive security" [2], a company
with "Government customers".

[1] <https://twitter.com/VUPEN>

[2] <http://www.vupen.com/english/company.php>

~~~
burgerbrain
Who cares if they sound unprofessional to you? Very obviously they produce.

~~~
adrianp
I am still waiting for that obvious evidence. That includes more details and
also tests on the latest dev version of Chrome (Chromium). I am not defending
Google in any way, but some claim with no real evidence shouldn't convince
anybody.

~~~
tptacek
I saw a similar mentality on the Skype for Mac thread, as if there is a huge
incentive to just make up vulnerabilities. More or less, when HN threads don't
want something to be true ("terrible Chrome vulnerability with no public info
and no pending patch!"), they make up controversies to keep them from having
to accept that it's true. It's a bad habit.

~~~
coliveira
I have over the years participated on a number of communities "for smart
people", and this is the case in all of them. People have their particular
points of view, and when there is some evidence against what the group
considers to be good they use all kinds of ad-hominem attacks. I know it is
just human nature, but it is sad that people don't see these patterns
occurring.

~~~
JoeAltmaier
Be fair. Exceptional claims require exceptional evidence. They offer no
evidence at all. Scepticism is healthy.

~~~
lawnchair_larry
Browser bugs are found in every single browser on every single platform.
They're reported for free, traded privately, sold privately, given to the
vendor for a bounty, used to spread malware, discovered in American
corporations, discovered in Iranian corporations, and more. There is nothing
exceptional here. This is business as usual. It's non-trivial, but far from
exceptional.

------
JoachimSchipper
> This code and the [...] underlying vulnerabilities will not be publicly
> disclosed. They are shared exclusively with our Government customers

And the vendor, I hope? Of course, we know HBGary was developing private
exploits, but it wasn't exactly blogging about them.

~~~
trotsky
I'm not too sure that's the business VUPEN is in. Sure, it doesn't hurt them
much to share their latest Safari exploit given how slow Apple is on the fix,
but with Google their window has the potential to be very short.

~~~
tlb
Citation needed for such a serious accusation. They claim to be ethical. From
their about page: "VUPEN follows a private responsible disclosure policy and
reports all discovered vulnerabilities to the affected vendor under contract
with VUPEN, and works with them to create a timetable pursuant to which the
vulnerability information may be publicly disclosed."

~~~
ceejayoz
<http://www.vupen.com/english/services/>

> As the world leader in vulnerability research, VUPEN Security provides
> weaponized and highly sophisticated exploits specifically designed for Law
> Enforcement and Intelligence Agencies to help them achieve their offensive
> missions using tailored and unique codes created in-house by VUPEN for
> vulnerabilities discovered by our researchers.

Note also the "under contract with VUPEN" part of the disclosure bit.

~~~
chopsueyar
_Law Enforcement and Intelligence Agencies_

Which countries? It does not specifically state US.

~~~
trotsky
I'm pretty sure they limit their customer base to NATO signatories.

~~~
chopsueyar
Link?

~~~
trotsky
Well, I was close...

 _\- Gov. and Law Enforcement Agencies in Countries Members or Partners of
NATO, ANZUS or ASEAN_

<http://www.vupen.com/english/services/ba-gov.php>

~~~
caf
ASEAN includes such well-known liberal democracies as Burma, Vietnam, Laos and
Brunei.

------
watty
This seems extremely unethical to me. Now that the world knows there is
massive exploit in Chrome, there are bound to be more hackers attempting to
abuse it - and have a few hints from the video. By blogging about this and not
disclosing it to Google, they are actually increasing the risk of millions of
individuals and companies being hacked.

Edit: Then again, blogging about it also makes Google aware of the exploit.
I'm sure they have tons of resources working on it that wouldn't have
otherwise...

------
rheide
vupen: "Hey Google, your browser has a very nasty bug that allows for
potentially horrible things to happen. We thought we'd share that with the
world. If you'd like to know where it is though, you'd better give us money."

~~~
lawnchair_larry
Why not? This is highly specialized research that not even well-paid Google
employees were able to do.

This is actually quite common in recent years for bug hunters and exploit
developers. I can think of a dozen or so companies that do the same thing.
Immunity is another example.

Trying to use a moral argument to get out of compensating someone when you
have the resources to do so is shameful. Sorry, but this stuff is worth far
more than the (up to) $3133 they are offering.

No More Free Bugs, as they say.

They can either pay a nominal fee for doing their security work for them, or
they can hire some equally talented people and fund this type of research on
their own internally. Fair is fair. There is no reason this isn't worth
compensating but something like pagerank optimizations is.

~~~
_delirium
Publicly announcing a security vulnerability, claiming that you're sharing it
with other clients with the intent of using it for "weaponized ... offensive
missions", and then demanding a fee to gain the information to protect against
said weaponization, sounds an awful lot like extortion. In the offline world,
I don't think you can legally run a business with a strategy of: discover a
problem in the security at one of Exxon's plants, publicly announce that
you've discovered a vulnerability and will be selling the information to third
parties, and then demand $N from Exxon for the details.

~~~
shasta
This is probably why they keep repeating that their customer is the
government. You could probably sell Exxon's security vulnerabilities to the
government and demand $N dollars from them to show them how to fix the
problem. It's advertising the vulnerability with posts like this that seems
most questionable (similar to extortion) to me.

~~~
_delirium
Yeah, that's the part that seemed odd to me as well, though someone
knowledgeable in this area of law (at least in the better-settled offline
case) could give some better info.

I believe it'd be okay, and probably actually happens, for a private security
consultant to do threat assessments for a (non-criminal) client, e.g. prepare
a report for DHS on the security of U.S. oil installations. _But_ it seems
like they'd be crossing a line if they posted a press release trumpeting a
major vulnerability they discovered, mentioning by name which company and
approximately where the vulnerability was located, but then refused to
disclose it to the company in question.

I'm not sure how much it survives, but I believe there was traditionally even
a common-law "duty to warn" if you were aware of significant risks to
someone's person or property.

~~~
chopsueyar
Google could easily sue them into oblivion for libel. They would be forced to
reveal the exploit during proceedings to prove their innocence.

~~~
sswam
one is not obliged to prove innocence in a sensible court of law

~~~
mmagin
At least in the US, civil court cases do not have the presumption of
innocence, only criminal cases do.

------
SriniK
Looking at the video and time it took to launch the calc.exe, it could be
pdf/flash exploit that they are using.

Process count in process explorer started with 5 and at the end of the demo,
it looked like they have 8. That tells there are 2 extra processes that are
created (discounting 1 for calc.exe).

I tried to see if pdf/flash creates new processes but I couldn't verify.
Perhaps a chrome developer could get a clue about what is happening looking at
the video.

~~~
Osiris
They are obviously hiding something. When they flip back to Process Explorer,
Chrome is perfectly sized to cover everything in the window except the
calc.exe. My guess is there are other processes running that they're trying to
hide that were used in the exploit.

~~~
dnewcome
It would have been trivial for them to patch Process Explorer to hide whatever
they wanted anyway.

~~~
est
Nah, the vupen marketing guys are too lazy to patch it.

------
Steko
"This code and the technical details of the underlying vulnerabilities will
not be publicly disclosed. They are shared exclusively with our Government
customers"

Love the capital G.

~~~
metageek
It's a standard formation in some publications--e.g., the New York Times.

------
mef
seems odd to me that they don't publicly disclose the vulnerabilities, but
they do publicly disclose the software versions affected by their "weaponized
exploits", thereby giving the heads up to whomever might be targeted to avoid
using that newly compromised software.

~~~
chromic
I think the version disclosure here was less of a "This version has a bug" and
more of a "The latest version has a bug." It's a lot safer to tell people
which haystack the needle is in than to give away the needle anyway.

------
ryanclemson
The two things I noticed were that 1) The user of the device is named
"IAmAdmin", implying that they have admin rights, and 2) The "integrity" of
chrome.exe is changed from Low to Medium at somepoint during the attack. Could
this somehow be related to breaking out of the sandbox?

------
phaet0n
I wonder if this is a sandboxing issue with NaCL, which is I noticed was added
(default disabled) in Chrome 11.

Considering how non specific VUPEN are, I wouldn't be surprised if they're
hiding this.

~~~
tlrobinson
Sounds like it's Windows only, so I'd expect it to be related to the Windows
sandboxing.

~~~
Niten
Well clearly there are two things going on here, assuming VUPEN is on the
level:

1) A remote code execution exploit in Chrome

2) A privilege elevation exploit allowing the hijacked browser process to
break out of its mandatory access control jail

Number 1 is of necessity a bug in Chrome itself (or a plugin). Number 2 is
probably a vulnerability in the Windows sandbox, but it could instead be that
they found a way to successfully attack the small part of Chrome that runs
outside low integrity mode. They weren't specific as to the details.

This is, again, at the very least a remote code execution hole in Chrome, and
there's no fundamental reason Linux or OS X should be invulnerable to the same
hole. That Chrome on Windows is less secure than on Linux or OS X would be the
wrong thing to take from this; the point of this demo is that VUPEN
accomplished the feat of bypassing all the security mechanisms protecting
Chrome on Windows, whereas on the other platforms you have fewer of these
mechanisms in the first place (no real ASLR on OS X, no Chrome sandboxing last
time I checked on Linux).

------
flipbrad
To what extent is this extortion? I mean, they have admitted to only selling
to a government. That means they find and exploit vulnerabilities in software
created by a private corporation, disclose the existence of a vulnerability
publicly, but don't allow the corporate body the means of fixing it. This
news, if publicised, would harm Google's reputation and goodwill, perhaps non-
negligibly, and cause users to switch products. Unless, of course, Google
outbids a government. Pay up or suffer - would this be extortion?

~~~
sswam
I don't believe this crappy little security firm has more resources than
Google, even in the Security Research Dept. They can go find it themselves and
fix it. Anyway, it's probably mostly a windows bug. If you line the right
bytes up together in windows' RAM, it will void itself and yield 'root' or
whatever wiener name they have for it. Who knows, maybe they Govt is trying to
screw google, and told them to do a fake release. Their post doesn't make them
sound like real pros.

------
krupan
"it works on all Windows systems (32-bit and x64)"

They didn't say that the exploit _didn't_ work on Mac or Linux, but one can
only assume they tested those and weren't successful?

~~~
Niten
I wouldn't assume that. I think the big deal here is that they managed to
break out of the Windows sandbox; that's what makes the exploit particularly
interesting. The same vulnerability could exist on Linux too, but they just
didn't invest the time in developing and demoing an exploit there too.

Or maybe not. I'm just saying, we can't assume either way.

------
jff
I'd like to mention something to everyone running around crying about the
falling sky because THE GUBBMINT has paid a security company to audit Chrome.
Oak Ridge National Labs just recently had to shut down COMPLETELY because an
Internet Explorer exploit "pwned" them. Do you maybe see how THE GUBBMINT
might be interested in knowing if other browsers, such as Chrome, are as
vulnerable?

But by all means, put on your tinfoil hats if that's more fun.

------
lojack
its times like these (among others) that makes me happy my browser
automatically updates behind the scenes

~~~
llambda
That works as long as the exploit is known. What happens when it's not?

~~~
lojack
same thing that happens when an exploit is found for a browser that doesn't
automatically update

~~~
llambda
Which I suppose begs the question: Are automatic updates the silver bullet
they seem to be sold as? I don't unequivocally disagree with them, or rather I
disagree with them, but based on principle. In practice, it seems easy to
argue that the benefits outweigh the arguments against. Still it'd be nice if
there were at least an option to turn off the updates. (Perhaps there is and
I've missed it in the settings?) Nonetheless for the time being I'll stick
with my old fashioned browser, just because I'm a kind of a geek that prefers
to initiative his own updates.

------
trololo
does anyone know how much vupen charges for their exploits, on average?

------
bOR_
So, can google put a patch in Chrome that whenever it runs at VUPEN,
everything VUPEN has on that computer is shipped over to Google? :-).

Google has/had the 'do no evil' in their philosophy, and disabling a scheme
that misuses their software for cyber-warfare sounds like a good thing.

------
mdpm
the video is edited, right about when he's showing process explorer post-
exploit. the cursor suddenly leaps across the screen, so assuming they're
covering up the other child process of the main chrome process is fair.
strangely, process explorer's 'process count' only goes up by 1, despite
launching calc, and (seemingly) another child process. To be over-zealous, the
single row of visible pixels for that other process is consistent with
rundll32.exe.

That _still_ doesn't mean that it's not a chrome bug - the exploit may use
flash to retrieve the payload, make use of flash-js communication, flash-
chrome communication quirks etc.

------
comex
Impressive, but not surprising. Chrome isn't magical; ASLR and DEP have been
bypassed in the past, and even if its own sandbox is perfect, the kernel it's
sitting under is a huge attack surface.

~~~
daeken
ASLR and DEP, by and large, have nothing to do with the kernel. ASLR is a
function of the binary loader and memory allocators, which are in userland.
DEP is a function of userland memory protection flags (they're handled on the
bare metal by the kernel, but the kernel just sets what it's told to by the
userland). I'd put any amount of money down on the table that there is no
kernel vulnerability here at all -- if there was one, I assure you that it'd
be more than a Chrome vuln.

~~~
comex
I know; my comments about ASLR/DEP and the kernel were intended to be
separate. As for whether there's a kernel vulnerability, I'll defer to you
(although it doesn't have to be full-fledged arbitrary code execution; it can
just be a system call that's lax about security tokens), but in general the
breadth of kernel code the renderers can access is pretty large.

------
podperson
So assuming this is for real they're going to tell the government so it can
pwn us but not tell Google so it can fix it.

------
jlgosse
Not saying this isn't true, as I'm sure VUPEN is quite legit, but what stops
me from creating a keyboard shortcut to calculator.exe, opening a random
website which loads for a few seconds, and then pressing ctrl+alt+f6 or
something to open calculator?

~~~
trotsky
Nothing keeps you from doing it, their reputation keeps them from doing it.

------
jsprinkles
This video is extremely suspicious to the point of probably being an outright
lie. I would wager money that this vulnerability is a Flash exploit sold as a
Chrome exploit.

It is not an accident that they hid Process Explorer after the exploit. They
closed it before minimizing everything else intentionally. If you do not
believe me follow the mouse pointer. The screencaster moved toward bringing
Process Explorer top-level at 0:56 then realized it would show the entire
thing and restored Chrome on top of it instead. With that in mind it is
obvious that they do not want you to see what changed when it ran so instead
we have to work with what is visible:

Process Explorer before: <http://i.imgur.com/e31Rb.png>

Process Explorer after: <http://i.imgur.com/JfPTY.png>

First item of interest is that Chrome shot up to over 400 MB of memory used
which indicates that Flash is almost certainly involved.

Second, observe how long it takes for Calculator to start. Again, consistent
with Flash being involved and Chrome delay-loading it.

Third, there are scroll bars on the tab. Big ones. This says there is an
invisible item on the page taking up a lot of space which again points to
Flash. I saved the exact same content to a file and look how small I can go
without scroll bars: <http://i.imgur.com/R0eqk.png>

Fourth, flip back side by side through each photo and notice what disappears.
The Windows search indexer disappears between screenshot A and B and this is
what Vupen is intentionally covering up. You can still observe it indirectly
based on the rows and colors at right. It is my understanding that the child
processes of SearchIndexer.exe run at all times and not as some kind of cron
but I do not use Windows so please correct me if I am wrong. At any rate they
do disappear between A and B.

It would be very intelligent of them to blog post this as a Chrome sandbox
bust (which is sort of newsworthy) and gain that link bait attention but,
privately, use the exploit as the Flash and Windows vulnerability it most
likely is.

~~~
nitrogen
I can get Chrome to chew through all of RAM and swap just by repeatedly
changing the src= attribute of an img tag (which, by the way, I'd like
suggestions on avoiding). Flash isn't required to eat lots of RAM.

~~~
damncabbage
Re: "suggestions on avoiding"

Is this for a rollover, animation, or something else? (Mind posting a code
snippet up somewhere?)

~~~
nitrogen
I've been meaning to ask on Stack Overflow. It's simulating a video stream
from a device with no FPU that's probably too slow to encode WebM or H.264.
I'm dynamically generating a PNG image on the device and reloading it at
regular sub-second intervals in Chrome via JavaScript. [Edit: I had to write a
custom Ruby extension that directly calls libpng to get reasonable
performance]

I have a hidden <img> tag and a <div>. In the timer callback I set the src=
attribute of the <img> tag to the URI of the image plus the current time (e.g.
"/image.png?v=123456789"), then in the <img> tag's onLoad I set the <div>
tag's background-image style to the same value.

I was going to try using two <img> tags, and alternately hiding/showing them,
but I doubt that will solve the caching issue. My current workaround is to
keep the Chrome developer panel closed (which seems to store every resource
loaded by a page regardless of any cache directives from the server) and have
the page reload itself after 60 seconds of no user activity. Unfortunately,
Chrome's memory usage still grows, only not quite as fast.

~~~
Adrock
I, and many others, have been anxiously awaiting a fix for this:

<http://code.google.com/p/chromium/issues/detail?id=36142>

It keeps getting punted. If you care, I recommend starring the issue.

~~~
nitrogen
I starred it, but it doesn't look like anybody working on Chromium cares to
fix it, and nobody's posted a reasonable workaround. So much for HTML5.

------
vanni
Oh my lonely Linux desktop, no 0-day for you as usual :P

------
sdoowpilihp
Whether or not this exploit is impressive, using the term "pwnd" comes across
as incredibly unprofessional and predisposes me to perceiving this whole
article in a negative light.

~~~
tptacek
No disrespect intended, but, it doesn't negatively predispose anyone who
conducts or utilizes vulnerability research professionally, so I doubt your
concern matters much to them.

~~~
gergles
Oh, thank you for this comment. I wasn't aware that literally everyone who
uses vulnerability research as part of their job had had a meeting and elected
a spokesperson.

------
fragsworth
A video of calculator showing up after clicking a link hardly constitutes
proof of an exploit.

Considering the fact that they aren't going to publish the exploit, I just
want to point out that this kind of thing could _easily_ be fabricated. There
are plenty of interests that benefit from unfortunate news about their
competitors.

~~~
kiiski
What would those "plenty of interests" be in this case?

