Published on
2011-05-09 17:35:41 UTC by VUPEN
Vulnerability Research Team
Hi everyone,
We are (un)happy to
announce that we have officially Pwned Google
Chrome and its sandbox.
The exploit shown
in this video is one of the most sophisticated
codes we have seen and created so far as it
bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability),
it is silent (no crash after executing the
payload), it relies on undisclosed (0day)
vulnerabilities discovered by VUPEN and it works
on all Windows systems (32-bit and x64).
The video shows the
exploit in action with a default installation of Google Chrome v11.0.696.65
on Microsoft Windows 7 SP1 (x64). The user is
tricked into visiting a specially crafted web page
hosting the exploit which will execute various
payloads to ultimately download the Calculator
from a remote location and launch it outside the
sandbox (at Medium integrity level).
While Chrome has one of the most secure sandboxes
and has always survived the Pwn2Own contest during
the last three years, we have now uncovered a
reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR
and DEP.
For security reasons, the exploit code and
technical details of the underlying
vulnerabilities will not be publicly disclosed.
They are available to our customers as part of our
vulnerability research
services.
Note: The exploit works on both Chrome
stable, beta, and dev.
