Pwnium2 Is Over – One Exploit And It’s Already Patched

Pwnium2 is Google’s second competition where they challenge hackers to tear into the Chrome browser. The payouts are much larger than the typical bounty program with the highest being 60,000 dollars for an ‘all Chrome’ exploit.

Last year we saw three exploits – one by Sergey Glazunov, one by ‘Pinkie Pie’, and one by the Vupen team. The Vupen exploit was in the NPAPI flash, Sergey Glazunov used UXSS among other things, and Pinkie Pie used a series of escalation bugs to hop from one sandbox to the next.

This year we saw only one exploit and it was by Pinkie Pie. Details aren’t out yet but it was discovered about 8-10 hours ago (by my count) and it earned him 60,000 dollars.

It’s described as:

Critical CVE-2011-2358: SVG use-after-free and IPC arbitrary file write. Credit to Pinkie Pie.

We’re happy to confirm that we received a valid exploit from returning pwner, Pinkie Pie. This pwn relies on a WebKit Scalable Vector Graphics (SVG) compromise to exploit the renderer process and a second bug in the IPC layer to escape the Chrome sandbox. Since this exploit depends entirely on bugs within Chrome to achieve code execution, it qualifies for our highest award level as a “full Chrome exploit,” a $60,000 prize and free Chromebook.

The big deal there being the IPC arbitrary file write – I suspect the SVG use-after-free was just the initial exploit.

The patch has already been issued to the stable channel. I’ll post more after I listen to the talk about the exploit.

Pwnium Two – Google Chrome To Hold Another Hacking Contest

Google had so much fun with the Pwnium competition the first time they’ve decided to hold another one. This should be interesting as we’ll get to see if Chrome exploits are really worth 60,000 dollars or if attackers are more willing to sell to higher bidders.

The rewards are similar though now instead of a 1 million dollar limit there’s a 2 million dollar limit. This is largely irrelevant as it is very unlikely there will be that many exploits.

The competition essentially lets a bunch of people come together and see how far they can break Chrome. Last competition we had three exploits bypass Chrome’s sandbox – One by Pinkie Pie, one by Vupen, and one by Sergey Glazunov.

The Vupen exploit was pretty lame and used the Flash plugin. The Flash plugin for Chrome is now PPAPI and far stronger than it used to be so Vupen’s going to have to find another way to get out of the sandbox.

The Vupen exploit was not revealed but the others were. They made use of 6 and 12 bugs respectively and were really brilliant.

Chrome’s sandbox has improved since the last competition – the renderer now runs at Untrusted as does Flash – so it will be fun to see how people break out this time.