Researchers win $100,000 for Chrome hack that leaves Windows vulnerable
Researchers from MWR Labs find a way to exploit a Chrome vulnerability, sidestep Windows 7 safety measures, and do whatever they want on the operating system.
Security researchers at MWR Labs have won a $100,000 prize at the Pwn2Own hacking competition in Vancouver.
The researchers showed off their hack yesterday as they took a fully patched version of the Google Chrome browser, hacked it, and then took control of Windows 7. According to the researchers, when a Chrome user visits a malicious Web page, it's possible for the page's creator to exploit a vulnerability that allows for code execution in the sandboxed renderer process. From there, the team exploited a kernel vulnerability in Windows 7 to gain elevated privileges and execute commands.
Here's what the researchers were able to achieve:
We were able to exploit the first vulnerability in multiple ways, allowing us to leak the addresses of several objects in memory, calculate the base address of certain system dlls, read arbitrary data, and gain code execution. This allowed us to bypass ALSR by leaking the base address of a dll, and to bypass DEP by reading that dll's .text segment into a javascript string, allowing us to dynamically calculate the addresses of ROP gadgets.
According to the researchers, they were able to exploit the browser and operating system without changing any settings in the default setups of those platforms.
"Google Chrome is one of the most widely used Web browsers globally, and was perceived to be the hardest target in the competition," MWR InfoSecurity managing director Ian Shaw said today in a statement. "The reason Chrome was chosen as the target for the demonstration is to encourage understanding, as a security breach of this nature could expose millions of users to serious risk."
MWR Labs didn't provide specifics on the code it exploited to take control over Windows 7, deciding instead to share the holes with vendors so they can be patched.