For the second time this year, an anonymous teenage security researcher has succeeded in producing a full exploit, including a sandbox escape, against Google Chrome. The researcher, who uses the pseudonym PinkiePie, submitted his exploit Wednesday during the Pwnium contest run by Google at the Hack in the Box conference.
In March the same researcher showed up at the CanSecWest conference in Vancouver and was able to compromise Chrome in the first edition of the Pwnium contest, winning a $60,000 reward for his work. At the time, Google security officials said that they knew who the researcher was and that he had been working on that specific attack for some time. Google later detailed the process that PinkiePie used in that attack, after the vulnerabilities had been fixed, and said that the researcher had chained together six individual vulnerabilities in order to accomplish the compromise of Chrome.
PinkiePie used several discrete bugs in order to get to a point where he could impersonate the Chrome extensions manager. After that, he focused on finding a way to break out of the browser’s sandbox.
“Once he was impersonating the extensions manager, Pinkie used two more bugs to finally break out of the sandbox. The first bug (117715) allowed him to specify a load path for an extension from the extension manager’s renderer, something only the browser should be allowed to do. The second bug (117736) was a failure to prompt for confirmation prior to installing an unpacked NPAPI plug-in extension. With these two bugs Pinkie was able to install and run his own NPAPI plug-in that executed outside the sandbox at full user privilege,” Google said.
Google officials have not said much about PinkiePie’s techniques at Hack in the Box, only confirming that he was able to gain a full Chrome compromise again, earning another $60,000 reward. The company said on Wednesday afternoon released a fix for the vulnerabilities that PinkiePie used in his attack. The attack targeted two separate flaws, a use-after-free vulnerability and an arbitrary file write flaw.
Pwnium is Google’s answer to the older Pwn2Own contest that takes place each year at CanSecWest. Pwn2Own is set up so that researchers who demonstrate an exploit against a previously unknown vulnerability in one of the targeted platforms wins a cash reward as well as the computer that they attacked. However, the contestants do not need to turn over the details of their exploit to the contest organizers, TippingPoint.
Google officials decied to run their own contest this past spring at CanSecWest, with the stipulation that contestants would have to turn over all of the details of the bugs and their exploits. The rewards were much higher, but most of the Pwn2Own contestants demurred, preferring to get smaller up-front rewards and keep the details of the exploits to themselves.
The Pwnium contest at Hack in the Box in Kuala Lumpur is the second iteration of the competition and PinkiePie’s was the only successful submission.
This article was updated on Oct. 10 to add information about Google’s fix for the Chrome flaws.