Today MWR Labs (@mwrlabs) demonstrated a full sandbox bypass exploit against the latest stable version of the Google Chrome browser. The demonstration took place during the annual Pwn2Own competition at the CanSecWest conference in Vancouver. The vulnerabilities were found and the exploit was developed by MWR researchers Nils (@nils) and Jon (@securitea).
We showed an exploit against previously undiscovered vulnerabilities in Google Chrome running on a modern Windows-based laptop. By visiting a malicious webpage, it was possible to exploit a vulnerability which allowed us to gain code execution in the context of the sandboxed renderer process. We also used a kernel vulnerability in the underlying operating system in order to gain elevated privileges and to execute arbitrary commands outside of the sandbox with system privileges.
As with many modern operating systems, there were a series of memory protection mechanisms that needed to be bypassed before reliable code execution could be achieved. Specifically, Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP) made it more challenging to develop a reliable exploit.
Follow us on Twitter (@mwrlabs) for more updates. A more in depth technical blog post will be released once the vulnerabilities have been patched by the vendors, which will detail the process of finding and exploiting these bugs.