Send to Kindle

ChromeFor the second time this year, an anonymous teenage security researcher has succeeded in producing a full exploit, including a sandbox escape, against Google Chrome. The researcher, who uses the pseudonym PinkiePie, submitted his exploit Wednesday during the Pwnium contest run by Google at the Hack in the Box conference.

In March the same researcher showed up at the CanSecWest conference in Vancouver and was able to compromise Chrome in the first edition of the Pwnium contest, winning a $60,000 reward for his work. At the time, Google security officials said that they knew who the researcher was and that he had been working on that specific attack for some time. Google later detailed the process that PinkiePie used in that attack, after the vulnerabilities had been fixed, and said that the researcher had chained together six individual vulnerabilities in order to accomplish the compromise of Chrome.

PinkiePie used several discrete bugs in order to get to a point where he could impersonate the Chrome extensions manager. After that, he focused on finding a way to break out of the browser’s sandbox.

“Once he was impersonating the extensions manager, Pinkie used two more bugs to finally break out of the sandbox. The first bug (117715) allowed him to specify a load path for an extension from the extension manager’s renderer, something only the browser should be allowed to do. The second bug (117736) was a failure to prompt for confirmation prior to installing an unpacked NPAPI plug-in extension. With these two bugs Pinkie was able to install and run his own NPAPI plug-in that executed outside the sandbox at full user privilege,” Google said.

Google officials have not said much about PinkiePie’s techniques at Hack in the Box, only confirming that he was able to gain a full Chrome compromise again, earning another $60,000 reward. The company said on Wednesday afternoon released a fix for the vulnerabilities that PinkiePie used in his attack. The attack targeted two separate flaws, a use-after-free vulnerability and an arbitrary file write flaw. 

Pwnium is Google’s answer to the older Pwn2Own contest that takes place each year at CanSecWest. Pwn2Own is set up so that researchers who demonstrate an exploit against a previously unknown vulnerability in one of the targeted platforms wins a cash reward as well as the computer that they attacked. However, the contestants do not need to turn over the details of their exploit to the contest organizers, TippingPoint. 

Google officials decied to run their own contest this past spring at CanSecWest, with the stipulation that contestants would have to turn over all of the details of the bugs and their exploits. The rewards were much higher, but most of the Pwn2Own contestants demurred, preferring to get smaller up-front rewards and keep the details of the exploits to themselves.

The Pwnium contest at Hack in the Box in Kuala Lumpur is the second iteration of the competition and PinkiePie’s was the only successful submission. 

This article was updated on Oct. 10 to add information about Google’s fix for the Chrome flaws.

Send to Kindle
Categories: Vulnerabilities

Comments (23)

  1. Anonymous
    14

    I am prode of you “Pinkie Pie.”  Not only are you incredibly talented but, from what I gather, you have decided to use your powers for good.

     

    I’m sure that you could have exploited those bugs to much personal gain, but instead you gave that knowledge to Google and prevented crime agains innocent (and ignorant) users like me.

    Here, take the best pony award, but only for today.

  2. Anonymous
    15

    oop…sorry about the double post.

     

    My I place an emphasis on the “ignorant” part of my previous (2) comment(s)

  3. Anonymous
    17

    i just hope that next time google gets hacked, and he ends up hacking some more junk, he should pop in on a user, quizz him for weather he was a brony, and if they get it wrong it screws up interent temporarily, and if right it plays a flash of brohoof and alows user to continue whatever they where doing.

Comments are closed.