A researcher has dropped working exploit code for a zero-day remote code execution (RCE) vulnerability on Twitter, which he explains affects the current versions of Google Chrome & potentially other browsers, like Microsoft Edge, that use the Chromium framework.
An update to Google’s browser that fixes the flaw was expected to be released today, Tues.
Exploit Code
Security researcher Rajvardhan Agarwal tweeted a GitHub link to the exploit code — the result of the Pwn2Own ethical hacking contest held online last week — on Mon.
“Just here to drop a chrome 0day,” Agarwal wrote in his tweet. “Yes you read that right.”
Contest Rules
Pwn2Own contest rules require that the Chrome security team receive details of the code so they could patch the vulnerability as soon as possible, which they did; the latest version of the Chrome V8 JavaScript engine patches the flaw, Agarwal stated in a comment posted in response to his own tweet.
However, that patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge & others, leaving them potentially vulnerable to attacks.
Google is expected to release a new Chrome version —including security fixes— sometime today, though it is unclear if patches for the bug will be included. A Chrome update had not yet been released but is shortly expected.
Not Fully Weaponised
Security researchers Bruno Keith & Niklas Baumstark of Dataflow Security developed the exploit code for a type mismatch bug during last’s week’s contest, & used it to successfully exploit the Chromium vulnerability to run malicious code inside Chrome & Edge. They received $100,000 for their work.
The exploit includes a PoC HTML file that, with its corresponding JavaScript file, can be loaded into a Chromium-based browser in order to launch the Windows calculator (calc.exe) program.
Sandbox
Attackers would still need to escape the Chrome browser “sandbox,” a security container preventing browser-specific code from reaching the underlying OS, to complete full remote code execution, according to a published report from Recorded Future.
The researchers seemed surprised that Agarwal posted the exploit on Twitter, with Baumstark tweeting a response to Agarwal’s post on Mon. “Getting popped with our own bugs wasn’t on my bingo card for 2021,” he tweeted.
Malicious Code
While the exploit code that Agarwal posted does allow an attacker to run malicious code on a user’s operating system, he apparently was not unscrupulous enough to post a fully weaponised version of the code, says The Record — he did not post a full exploit chain that would allow sandbox escape.
The exploit as posted could still attack services that run embedded/headless versions of Chromium, where sandbox protections are not usually enabled, Agarwal told The Record.
Zero Day Initiative
The 2021 Pwn2Own Spring edition, sponsored by Trend Micro’s Zero Day Initiative, was held online last week after organisers published a list of eligible targets for the contest in Jan The contest drew many teams & included 23 hacking sessions against 10 different products from the list of predefined targets.
The teams had 15 minutes to run their exploit code & achieve RCE inside the targeted app, receiving various money awards, with $1.5m in total prize money at stake for each successful exploit from the contest’s sponsors, as well as points towards the overall ranking.
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/