French hackers took down Chrome at the 2012 CanSecWest “Pwn2Own” hacker contest without even a blink of an eye.
Google’s browser stood the test at last year’ event, but it was the first to topple this time around. The victorious winner? Vupen.
According to ZDNet, Vupen is a French supplier of exploits and vulnerabilities to government clients.
Headlines after the previous contest claimed Chrome was unbreakable and such news infuriated Vupen, so its cofounder Chaouki Bekrar set to prove the world otherwise. His team quickly targeted the indestructible browser and worked for about six weeks to find vulnerabilities.
“We had to use two vulnerabilities. The first one was to bypass DEP and ASLR on Windows and a second one to break out of the Chrome sandbox,” explained Bekrar in an interview.
More information is available below.
Vupen released a video (as seen above) of a successful Chrome sandbox escape conducted last year, but Google claimed it unfairly exploited third-party code. With that said, Bekrar refused to mention whether this year’s hack combated a third-party code in the browser:
“It was a use-after-free vulnerability in the default installation of Chrome. Our exploit worked against the default installation, so it really doesn’t matter if it’s third-party code anyway.”
Bekrar explained that Vupen created a website ploy during the contest with written exploits. After the target visited the team’s deceptive page, Vupen’s exploit opened the Calculator app outside of the sandbox.
“There was no user interaction, no extra clicks. Visit the site, popped the box,” Bekrar added.
Vupen plans to sell the rights to one of the vulnerabilities, but the company is keeping the sandbox escape for its customers. Despite the seamless job, Bekrar contended that Chrome sandbox is still the most secure browser available.
“It’s not an easy task to create a full exploit to bypass all the protections in the sandbox…This just shows that any browser, or any software, can be hacked if there is enough motivation and skill,” Bekrar said.
The hack earned Vupen 32 points under the competition’s new format.