Google Chrome Pwned by VUPEN aka Sandbox/ASLR/DEP Bypass
Hace unos dias salió la noticia de que Vupen había conseguido pwnear chrome bypasseando su sandbox y las protecciones del sistema:
Cita:Hi everyone,
We are (un)happy to announce that we have officially Pwned Google Chrome and its sandbox.
The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).
The video shows the exploit in action with a default installation of Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox (at Medium integrity level).
While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR and DEP.
For security reasons, the exploit code and technical details of the underlying vulnerabilities will not be publicly disclosed. They are exclusively shared with our Government customers as part of our vulnerability research services.
Update: The exploit works on both Chrome versions 11.x and 12.x. It was also tested with Chrome v11.0.696.68 and v12.0.742.30.
He aqui la demo:
Como podeis ver aparenta ser un 0day para chrome, pero hay distintas opiniones por twitter que dan a entender que es un simple 0day de flash (vereis en el video que detras de la ventana del navegador, en el process explorer, se han creados nuevos procesos y uno con seguridad low..), como siempre es un nuevo problema de seguridad con los plugins pese a que los propios desarrolladores del navegador hayan desarrollado un sandbox para el mismo. Hay un gran debate entre varios security researchers hablando sobre el gran ego de vupen, varios argumentan que desde el punto de vista del programador realmente no es un 0day de chrome y deberían ser mas humildes, pero desde el punto de vista del exploiter el poc ha funcionado y el navegador ha sido pwneado fuese por el medio que fuese, ¿Con que opinión os quedais?
![[Imagen: e53.gif]](http://i34.tinypic.com/e53.gif)
![[Imagen: 2vxrbqh.png]](http://i52.tinypic.com/2vxrbqh.png)