After exploiting six different Chrome vulnerabilities, a hacker named Pinkie Pie was able to display this image on his target machine.

Dan Goodin

An exploit that fetched a teenage hacker a $60,000 bounty targeted six different security bugs to break out of the security sandbox fortifying Google's Chrome browser.

The extreme lengths taken in March by a hacker identified only as Pinkie Pie underscore the difficulty of piercing this safety perimeter. Google developers have erected their sandbox to separate Web content from sensitive operating-system functions, such as the ability to read and write files to a hard drive. Such sandboxes are designed to minimize the damage that can be done when attackers identify and exploit buffer overflows and other types of software bugs that inevitably find their way into complex bodies of code.

Pinkie Pie's attack came during Pwnium, a contest that awarded $60,000 prizes to hackers who successfully broke out of the protective barrier by exploiting only vulnerabilities residing in code that is native to the Google browser. The teenager was one of only two contestants to win the top prize. He did it after executing a custom-written Netscape Plugin Application Programming Interface directly on a Dell Inspiron laptop that ran a fully patched version of Chrome on a fully patched version of Microsoft's Windows 7 operating system. Google patched the severest of the vulnerabilities within 24 hours of them being exploited.

According to technical details Google published Tuesday, Pinkie Pie's odyssey began by exploiting a bug in aprerendering engine that helps Chrome work faster by gathering clues about webpages before they're loaded. By combining the attack with a second one that exploited a separate bug, he was able to inject a tiny, eight-byte address into a highly restricted section of the browser that processes commands sent to graphics cards.

By guessing some predictable addresses allocated by Windows, he was able to execute the snippet using a technique known as return-oriented programming, which extracts pieces of code present in executable memory areas and rearranges them to form a malicious payload. Although graphics processes are sandboxed, their restrictions are more permissive than the parts of Chrome that render HTML and Native Client processes. That allowed the hacker to tap Chrome's inter-process communications channelwhich allows different parts of the browser to work togetherand exploit two additional bugs described here and here. They allowed his code to gain additional privileges so it could access the part of Chrome that runs NPAPI plugins. (Note: To keep similar bugs from being exploited in other programs, Google is delaying the disclosure of some details. Some of these links may not work immediately.)

By exploiting two more bugs here and here, he was finally able to break out of the sandbox. The Dell Inspiron responded by displaying an image of a pink pony wielding a medieval axe, but it could just as easily have loaded a backdoor trojan that gave Pinkie Pie complete control over the machine.

In an e-mail that arrived after this article was published, Pinkie Pie said Google's deep-dive analysis varied widely from the way he thought about the attack when he was fashioning it.

"It's interesting to see the bugs listed this way because when writing the exploit I only counted three bugs, not six," he wrote. "117417, 117715, and 117736 are all hardening measures that enforce security boundaries that don't strictly need to exist, which I guess is a good thing."

View original post here:
Anatomy of a hack: 6 separate bugs needed to bring down Google browser (Updated)