PWN2OWN Goes Deep to Exploit Browsers
Which browser will fall and how? PWN2OWN organizers give us an early look at what to expect and why use-after-free errors are likely to dominate.
The Pwn2own hacking challenge, sponsored by HP TippingPoint has emerged as one of the pre-eminent security events in any given calendar year. Security researchers compete to see who can hack web browsers and mobile platforms with cash and prizes up for grabs.
This year more money than ever will be on this line for researchers that specifically target Chrome, though Firefox, IE and Safari are still in researchers' crosshairs. Google is putting up $20,000 for Chrome vulnerabilities, while the total contest prize pool is approximately $125,000. Mobile platforms are also set to be targeted as researchers go beyond just the operating system to take aim at the underlying hardware as well. Researchers will also be going after the most secure aspects of browser security in an effort to demonstrate vulnerabilities.
"Chrome has a sandbox, while IE has a protected mode which is similar in concept, last year we didn't take that into account and we didn't require people to break out of protected mode - this year we are," Aaron Portnoy is the Manager of the Security Research Team at TippingPoint Technologies told InternetNews.com. "The bar has risen, not just on Chrome because of its sandbox but IE as well."
The fact that researchers will need to break out of the protected areas of Chrome and IE is a challenge that isn't being ignored either.
"I do know that someone is competing against IE and they will be using a privilege escalation bug to break out of protected mode, which is quite a big deal," Portnoy said. "It usually requires a kernel bug, or something in the GDI interface and it's something that's in the operating system so it will be a two-fold bug."
The two-fold bug could potentially take advantage of both the operating system and the browser in order to exploit the user.
"With regards to Chrome, I'm not sure what techniques they'll be using or if they have a way to break out of the sandbox," Portnoy said. "I assume that if they have a bug that enables them to break out of IE's protected mode they may be able to use that same underlying bug in the operating system to exploit Chrome."
Portnoy added that just like IE, Chrome has to rely on the operating system for a lot of things. From the browser side of the equation, most exploits come from some kind of use-after-free memory flaw. Portnoy noted that code can sometimes reference an object that is no longer in use in a dynamic web application.
"Due to the fact that code is implemented in C++ , when you compile C++ you have a lot of virtual function tables with pointers that are laid out on the heap," Portnoy explained. "So the way that works is when you try and access a particular object and call one of its methods, you're actually calling a pointer that is no longer valid."
Portnoy added that heap spray attacks then allow researchers to fill memory and when the invalid pointer is called, it references the attackers heap spray region.
"So I predict that most of the browser bugs will be related to a use-after-free issue," Portnoy said.
HP TippingPoint and its Zero Day Initiative (ZDI) is in the business of paying security researchers for flaws. Flaws reported to ZDI are reported responsibly to the affected vendors and are not immediately publicly disclosed. Multiple browser vendors including Google and Mozilla have both already updated their respective browsers ahead of the event as well.
Demonstrating a vulnerability at Pwn2own in 2011 also involves a payload this year. Portnoy noted that the payload is not malicious it's just an innocuous test file.
The way the payload demonstrates browser vulnerability is that in the context of a normal browser session, a researcher is not able to write a file to a particular directory.
"If you have an exploit running and you are not in the confines of a protected mode or a sandbox, you should be able to write to that directory," Portnoy said.
While the Pwn2own payload isn't malicious, an exposed vulnerability could be very dangerous.
"They could have the payload bind a port to the attacker's shell and enable full access," Portnoy said. "You can think of what we're asking for as a neutered exploit, it doesn't have any malicious capability."
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.
March 02, 2011
Update fixes 10 flaws as Mozilla locks down its open source browser ahead of critical hacker challenge.