Pwn2Own at CanSecWest 2013

By on 6 March, 2013

Today MWR Labs (@mwrlabs) demonstrated a full sandbox bypass exploit against the latest stable version of the Google Chrome browser. The demonstration took place during the annual Pwn2Own competition at the CanSecWest conference in Vancouver. The vulnerabilities were found and the exploit was developed by MWR researchers Nils (@nils) and Jon (@securitea).

We showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop. By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges.

As with many modern operating systems, there were a series of memory protection mechanisms that needed to be bypassed before reliable code execution could be achieved. Specifically, Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) made it more challenging to develop a reliable exploit.

We were able to exploit the first vulnerability in multiple ways, allowing us to leak the addresses of several objects in memory, calculate the base address of certain system dlls, read arbitrary data, and gain code execution. This allowed us to bypass ALSR by leaking the base address of a dll, and to bypass DEP by reading that dll’s .text segment into a javascript string, allowing us to dynamically calculate the addresses of ROP gadgets.

Follow us on Twitter (@mwrlabs) for more updates. A more in depth technical blog post will be released once the vulnerabilities have been patched by the vendors, which will detail the process of finding and exploiting these bugs.