For Team VUPEN, browsers ain’t nothing but vehicles for remote code execution and sandbox escapes.
That modus operandi became clear during the Pwn2Own competition at CanSecWest, the Vancouver hackathon that wrapped up last weekend, as Team VUPEN pwned their way to the top of the podium taking home the grand prize of $60,000.
One of Team VUPEN’s more impressive coups of the conference was finding a heap overflow vulnerability on Internet Explorer 9 that would allow the browser to run malicious code outside of protected mode (Internet Explorer’s sandbox). To insert the code the team used a specially crafted webpage that didn’t require any sort of interaction or downloading.
But their win wasn’t without controversy: Charlie Miller, a Pwn2Own regular and favorite for his headline making work of finding zero-day exploits on fully patched Mac OSX boxes, complained that the rules implemented this year favor larger teams.
“I understand why they switched; they wanted to remove the whole ‘random draw’ from the equation, which I [thought] was a necessary move. Last year I had a Safari exploit that I didn’t get to use because the Vupen guys got their name drawn before me and I was pretty upset,” Miller complained to ZDNet in an interview. “The new format is really more of a team competition while in the past it was more of an individual competition. Plus I don’t really want to spend CanSec writing exploits.”
The other controversy to haunt the conference was Google’s decision to withdraw from the contest due to a disagreement on how exploits would be shared with vendors (they ran their own contest at CanSecWest in parallel). Google’s Chrome security team posted this statement on their blog:
Originally, our plan was to sponsor as part of this year’s Pwn2Own competition. Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. We will therefore be running this alternative Chrome-specific reward program. It is designed to be attractive — not least because it stays aligned with user safety by requiring the full exploit to be submitted to us. We guarantee to send non-Chrome bugs to the appropriate vendor immediately.
Hardware Canucks caught up with Team VUPEN’s CEO and research chief, Chaouki Bekrar, to talk about browser insecurity.
HWC: In your opinion, what is the most secure browser on the market right now? Least secure? How secure is Chrome’s sandbox?
Bekrar: Google Chrome is probably the most secure browser currently available as it has a very strong sandbox preventing many actions. Google Chrome, Internet Explorer 9, and Safari on Mac OS X Lion are probably the most difficult browsers to attack as they include all exploit prevention technologies such as DEP [Data Execution Prevention], ASLR [Address Space Layout Randomization] and sandbox. Firefox lacks however a sandbox which makes it easier to exploit compared to other browsers.
HWC: Some say the Mozilla foundation has ‘dropped the ball’ when it comes to the security of Firefox and patching known vulnerabilities. Do you agree or disagree?
Bekrar: Google has set up the most regular security updating process for its Chrome browser which leads to fixing a large number of vulnerabilities very often. Additionally, Chrome updates are installed automatically without user interaction which makes all users running the most recent version of the browser. Firefox, Internet Explorer and Safari are usually updated each quarter which is definitely not enough.
HWC: Can you briefly describe your exploits for Internet Explorer?
Bekrar: Our exploit for IE combines two distinct zero day vulnerabilities, the first one is a heap overflow related to the processing of HTML data, and the second vulnerability is a memory corruption in the broker process which allows the bypass of the Internet Explorer sandbox (Protected Mode).
HWC: Are heap overflow vulnerabilities unique to Internet Explorer or are there similar vulnerabilities in other browsers?
Bekrar: Currently, web browsers are often affected by use-after-free or dangling pointer vulnerabilities which are not very easy to detect using static analysis; however buffer overflows are now very rare as the majority of them were already discovered by auditing tools used by vendors. The vulnerability we have discovered and exploited in Internet Explorer is a rare heap overflow which is very difficult to find using conventional methods, and this is why it was not detected by Microsoft since Internet Explorer 6 and not even in Internet Explorer 10 to be released with Windows 8.
HWC: What is your opinion on some of the security enhancements found in Windows 8?
Bekrar: Windows 8 will be the most secure Windows operating system since the release of Windows 7 as it includes many new security features and new exploit mitigation technologies for Internet Explorer 10 such as those preventing exploitation of use-after-free vulnerabilities or enhancements making ASLR bypass using memory leaks much more difficult, which will probably result in less exploits being developed for Internet Explorer 10.