Google describes the winning hack at Pwnium

The reason for this withdrawal was claimed to be Pwn2Own’s new non-disclosure rule. “Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome,” wrote Google at the time. “We will therefore be running this alternative Chrome-specific reward program.”

Chrome was rapidly pwned at Pwnium by Pinkie Pie (a play on Hasbro’s pink pwny). But under Pwnium’s own rules, while Pinkie Pie received a $60,000 reward, Google received details of the exploit and the exploited bugs; and was, it claims, able to block the exploit (and that of the competition’s runner-up, Sergey Glazunov) within 24 hours.

Now Google has released details of what it took for Pinkie Pie to defeat Chrome: a chain of six different bugs used to navigate through the code, step-by-step, until the prize of sandbox-breakout was achieved. This path led from an initial bug in pre-rendering to a buffer overflow into the GPU process that ultimately led to arbitrary code allowing the GPU process to impersonate the renderer. From the renderer, Pinkie was able to jump on the extension manager. From here, two further bugs allowed him “to install and run his own NPAPI plug-in that executed outside the sandbox at full user privilege.”

Or, as Sophos’ Paul Ducklin puts it: “That's undeniable pwnership - you can now do everything the current user could do, and anything he wouldn't. In two words, ‘Game over’.”

What’s Hot on Infosecurity Magazine?