Their site seems to be going down, so here's the text:
---
Hi everyone,
We are (un)happy to announce that we have officially Pwnd Google Chrome and its sandbox.
The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).
The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level. Note: The Calculator is used here as an example, it can be replaced by any other payload.
While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.
This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services.
Unless Google is one of their customers it may actually be a little while before this exploit is fixed. VUPEN does security research and doesn't disclose to original vendors unless they happen to be customers.
I both love and hate them. They are extremely talented and find absolutely awesome bugs that are hard to discover without a lot of work, and I hate them because they don't disclose their work unless it is for money. While I can understand that they have to make a living too, it just feels wrong to not protect everyone in the world when possible.
The reality is that there is probably no chance that they would ever find these bugs if they weren't funded to do it and the only way to be funded is to have customers.
The net result is probably safer software for all.
LOL, and Google does not have enough money to pay them a few measly billions to help fix their crown jewel chrome browser?? Don't make me laugh like that! Poor Google, not enough money, that'll be the day.
These things should not in my opinion be disclosed to (the idiot skript kiddie segment of) the public before the vendors have been given a good long window to fix them.
I prefer what VUPEN does when compared to irresponsible discoveries by black hats who do not give a shit about the integrity of the installed product and privacy / safety / security of how many millions of users, who can then be screwed over by every skript kiddie and his dog because they released the info straight to the public.
Sure, if the vendor has absolutely ignored you and your loud demos of the bug, and won't respond to threats to release, you might release the exploit to a small segment of the IRREPROACHABLE VANILLA WHITE HAT security community with the intention that they might help persuade the vendor to take it seriously. That's about as far as I'd want go with releasing serious exploits. Although of course grey/black hat stuff is fun - look, mum, I have a cool exploit!
If VUPEN are sworn to secrecy by their Government customer, and cannot tell the vendor or help them fix the bug, maybe it's time to get a new Government and public service. Your Government (US arrogances with a captial G) is trying to pwn you and spy on you. Fuck that, the government should answer to the will of the people (and don't talk to me about the farce we call democratic election. Democracy is where (almost) all the people are deeply involved in determining policy, it's more like the ideal soviet system, really, which was not realized AFAIK.)
Anyway, isn't that why you're carting guns around all these years, in case your (US) Government turns nasty and starts pwning your ass up down right and left with a canoe? (Not that it wasn't already.) Yes indeed, guns!! However let it not be said that I am inciting violent revolution with this sarcastic post, as I don't believe in or wish to promote that or any violent act.
I can understand their joy but the last sentence in the post and the Twitter update: "Sorry Google...we have officially pwned Google Chrome and its sandbox with a 0-Day." [1] seem rather unprofessional for the "world leader in vulnerability research for defensive and offensive security" [2], a company with "Government customers".
I'm not too sure that's the business VUPEN is in. Sure, it doesn't hurt them much to share their latest Safari exploit given how slow Apple is on the fix, but with Google their window has the potential to be very short.
This seems extremely unethical to me. Now that the world knows there is massive exploit in Chrome, there are bound to be more hackers attempting to abuse it - and have a few hints from the video. By blogging about this and not disclosing it to Google, they are actually increasing the risk of millions of individuals and companies being hacked.
Edit: Then again, blogging about it also makes Google aware of the exploit. I'm sure they have tons of resources working on it that wouldn't have otherwise...
vupen: "Hey Google, your browser has a very nasty bug that allows for potentially horrible things to happen. We thought we'd share that with the world. If you'd like to know where it is though, you'd better give us money."
Why not? This is highly specialized research that not even well-paid Google employees were able to do.
This is actually quite common in recent years for bug hunters and exploit developers. I can think of a dozen or so companies that do the same thing. Immunity is another example.
Trying to use a moral argument to get out of compensating someone when you have the resources to do so is shameful. Sorry, but this stuff is worth far more than the (up to) $3133 they are offering.
No More Free Bugs, as they say.
They can either pay a nominal fee for doing their security work for them, or they can hire some equally talented people and fund this type of research on their own internally. Fair is fair. There is no reason this isn't worth compensating but something like pagerank optimizations is.
I think you'd be biting off the hand that feeds you. If you eliminate what is arguably a distasteful arrangement here, you also eliminate the incentive to continue doing it. You might get this bug for free, but you get a hidden loss, a bunch of future bugs that you'll never hear about.
Think about the audacity of farmers, who make a profit for food, which you need to live. But nobody thinks like that for some reason.
Earning profit just means you've done something for someone who really wanted it done. It's a necessary signal.
Looking at the video and time it took to launch the calc.exe, it could be pdf/flash exploit that they are using.
Process count in process explorer started with 5 and at the end of the demo, it looked like they have 8. That tells there are 2 extra processes that are created (discounting 1 for calc.exe).
I tried to see if pdf/flash creates new processes but I couldn't verify. Perhaps a chrome developer could get a clue about what is happening looking at the video.
They are obviously hiding something. When they flip back to Process Explorer, Chrome is perfectly sized to cover everything in the window except the calc.exe. My guess is there are other processes running that they're trying to hide that were used in the exploit.
"This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers"
seems odd to me that they don't publicly disclose the vulnerabilities, but they do publicly disclose the software versions affected by their "weaponized exploits", thereby giving the heads up to whomever might be targeted to avoid using that newly compromised software.
I think the version disclosure here was less of a "This version has a bug" and more of a "The latest version has a bug." It's a lot safer to tell people which haystack the needle is in than to give away the needle anyway.
The two things I noticed were that 1) The user of the device is named "IAmAdmin", implying that they have admin rights, and 2) The "integrity" of chrome.exe is changed from Low to Medium at somepoint during the attack. Could this somehow be related to breaking out of the sandbox?
To what extent is this extortion? I mean, they have admitted to only selling to a government. That means they find and exploit vulnerabilities in software created by a private corporation, disclose the existence of a vulnerability publicly, but don't allow the corporate body the means of fixing it. This news, if publicised, would harm Google's reputation and goodwill, perhaps non-negligibly, and cause users to switch products. Unless, of course, Google outbids a government. Pay up or suffer - would this be extortion?
I don't believe this crappy little security firm has more resources than Google, even in the Security Research Dept. They can go find it themselves and fix it. Anyway, it's probably mostly a windows bug. If you line the right bytes up together in windows' RAM, it will void itself and yield 'root' or whatever wiener name they have for it. Who knows, maybe they Govt is trying to screw google, and told them to do a fake release. Their post doesn't make them sound like real pros.
I wouldn't assume that. I think the big deal here is that they managed to break out of the Windows sandbox; that's what makes the exploit particularly interesting. The same vulnerability could exist on Linux too, but they just didn't invest the time in developing and demoing an exploit there too.
Or maybe not. I'm just saying, we can't assume either way.
I'd like to mention something to everyone running around crying about the falling sky because THE GUBBMINT has paid a security company to audit Chrome. Oak Ridge National Labs just recently had to shut down COMPLETELY because an Internet Explorer exploit "pwned" them. Do you maybe see how THE GUBBMINT might be interested in knowing if other browsers, such as Chrome, are as vulnerable?
But by all means, put on your tinfoil hats if that's more fun.
the video is edited, right about when he's showing process explorer post-exploit. the cursor suddenly leaps across the screen, so assuming they're covering up the other child process of the main chrome process is fair. strangely, process explorer's 'process count' only goes up by 1, despite launching calc, and (seemingly) another child process. To be over-zealous, the single row of visible pixels for that other process is consistent with rundll32.exe.
That still doesn't mean that it's not a chrome bug - the exploit may use flash to retrieve the payload, make use of flash-js communication, flash-chrome communication quirks etc.
Impressive, but not surprising. Chrome isn't magical; ASLR and DEP have been bypassed in the past, and even if its own sandbox is perfect, the kernel it's sitting under is a huge attack surface.
ASLR and DEP, by and large, have nothing to do with the kernel. ASLR is a function of the binary loader and memory allocators, which are in userland. DEP is a function of userland memory protection flags (they're handled on the bare metal by the kernel, but the kernel just sets what it's told to by the userland). I'd put any amount of money down on the table that there is no kernel vulnerability here at all -- if there was one, I assure you that it'd be more than a Chrome vuln.
[+] [-] gchucky|15 years ago|reply
---
Hi everyone,
We are (un)happy to announce that we have officially Pwnd Google Chrome and its sandbox.
The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).
The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level. Note: The Calculator is used here as an example, it can be replaced by any other payload.
While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.
This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services.
The video in question is http://www.youtube.com/watch?feature=player_embedded&v=c...
[+] [-] calloc|15 years ago|reply
I both love and hate them. They are extremely talented and find absolutely awesome bugs that are hard to discover without a lot of work, and I hate them because they don't disclose their work unless it is for money. While I can understand that they have to make a living too, it just feels wrong to not protect everyone in the world when possible.
[+] [-] xutopia|15 years ago|reply
The net result is probably safer software for all.
[+] [-] timdorr|15 years ago|reply
[+] [-] VladRussian|15 years ago|reply
http://www.vupen.com/english/services/
"offensive security", yep. The guys are dirty like the Gary. Why a racket and government always means a happy marriage?
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] exit|15 years ago|reply
[+] [-] ignifero|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] sswam|15 years ago|reply
These things should not in my opinion be disclosed to (the idiot skript kiddie segment of) the public before the vendors have been given a good long window to fix them.
I prefer what VUPEN does when compared to irresponsible discoveries by black hats who do not give a shit about the integrity of the installed product and privacy / safety / security of how many millions of users, who can then be screwed over by every skript kiddie and his dog because they released the info straight to the public.
Sure, if the vendor has absolutely ignored you and your loud demos of the bug, and won't respond to threats to release, you might release the exploit to a small segment of the IRREPROACHABLE VANILLA WHITE HAT security community with the intention that they might help persuade the vendor to take it seriously. That's about as far as I'd want go with releasing serious exploits. Although of course grey/black hat stuff is fun - look, mum, I have a cool exploit!
If VUPEN are sworn to secrecy by their Government customer, and cannot tell the vendor or help them fix the bug, maybe it's time to get a new Government and public service. Your Government (US arrogances with a captial G) is trying to pwn you and spy on you. Fuck that, the government should answer to the will of the people (and don't talk to me about the farce we call democratic election. Democracy is where (almost) all the people are deeply involved in determining policy, it's more like the ideal soviet system, really, which was not realized AFAIK.)
Anyway, isn't that why you're carting guns around all these years, in case your (US) Government turns nasty and starts pwning your ass up down right and left with a canoe? (Not that it wasn't already.) Yes indeed, guns!! However let it not be said that I am inciting violent revolution with this sarcastic post, as I don't believe in or wish to promote that or any violent act.
Poor Google, not enough money. LOL!
[+] [-] adrianp|15 years ago|reply
[1] https://twitter.com/VUPEN
[2] http://www.vupen.com/english/company.php
[+] [-] burgerbrain|15 years ago|reply
[+] [-] bonch|15 years ago|reply
[+] [-] JoachimSchipper|15 years ago|reply
And the vendor, I hope? Of course, we know HBGary was developing private exploits, but it wasn't exactly blogging about them.
[+] [-] trotsky|15 years ago|reply
[+] [-] watty|15 years ago|reply
Edit: Then again, blogging about it also makes Google aware of the exploit. I'm sure they have tons of resources working on it that wouldn't have otherwise...
[+] [-] rheide|15 years ago|reply
[+] [-] lawnchair_larry|15 years ago|reply
This is actually quite common in recent years for bug hunters and exploit developers. I can think of a dozen or so companies that do the same thing. Immunity is another example.
Trying to use a moral argument to get out of compensating someone when you have the resources to do so is shameful. Sorry, but this stuff is worth far more than the (up to) $3133 they are offering.
No More Free Bugs, as they say.
They can either pay a nominal fee for doing their security work for them, or they can hire some equally talented people and fund this type of research on their own internally. Fair is fair. There is no reason this isn't worth compensating but something like pagerank optimizations is.
[+] [-] orblivion|15 years ago|reply
Think about the audacity of farmers, who make a profit for food, which you need to live. But nobody thinks like that for some reason.
Earning profit just means you've done something for someone who really wanted it done. It's a necessary signal.
[+] [-] trotsky|15 years ago|reply
http://trailofbits.com/2009/03/22/no-more-free-bugs/
[+] [-] code_duck|15 years ago|reply
[+] [-] SriniK|15 years ago|reply
Process count in process explorer started with 5 and at the end of the demo, it looked like they have 8. That tells there are 2 extra processes that are created (discounting 1 for calc.exe).
I tried to see if pdf/flash creates new processes but I couldn't verify. Perhaps a chrome developer could get a clue about what is happening looking at the video.
[+] [-] Osiris|15 years ago|reply
[+] [-] Steko|15 years ago|reply
Love the capital G.
[+] [-] mef|15 years ago|reply
[+] [-] chromic|15 years ago|reply
[+] [-] trotsky|15 years ago|reply
[+] [-] ryanclemson|15 years ago|reply
[+] [-] phaet0n|15 years ago|reply
Considering how non specific VUPEN are, I wouldn't be surprised if they're hiding this.
[+] [-] tlrobinson|15 years ago|reply
[+] [-] flipbrad|15 years ago|reply
[+] [-] sswam|15 years ago|reply
[+] [-] krupan|15 years ago|reply
They didn't say that the exploit didn't work on Mac or Linux, but one can only assume they tested those and weren't successful?
[+] [-] Niten|15 years ago|reply
Or maybe not. I'm just saying, we can't assume either way.
[+] [-] jff|15 years ago|reply
But by all means, put on your tinfoil hats if that's more fun.
[+] [-] lojack|15 years ago|reply
[+] [-] llambda|15 years ago|reply
[+] [-] trololo|15 years ago|reply
[+] [-] bOR_|15 years ago|reply
Google has/had the 'do no evil' in their philosophy, and disabling a scheme that misuses their software for cyber-warfare sounds like a good thing.
[+] [-] mdpm|15 years ago|reply
That still doesn't mean that it's not a chrome bug - the exploit may use flash to retrieve the payload, make use of flash-js communication, flash-chrome communication quirks etc.
[+] [-] comex|15 years ago|reply
[+] [-] daeken|15 years ago|reply
[+] [-] podperson|15 years ago|reply