Description: From the VUPEN Research Blog:
Hi everyone,
We are (un)happy to announce that we have officially Pwnd Google Chrome and its sandbox.
The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).
The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level.
While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.
More information on their website:
http://www.vupen.com/demos/VUPEN_Pwning_Chrome.php
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
The guys at VUPEN are freakin awesome(that's me paying a compliment...doesn't happen a lot). I do wonder on the how of the thing. I suppose after the next patch release there will be several sections of code changed, but we'll see. Heap sprays usually take some time, but the comments on the blog make me think it was at least a three stage attack(which is horribly impressive). I would still like to see some PoC though...Okay. Compliment again - guys at VUPEN...awesome.
I am wondering if this is the same attack seen on mail.ru...anyone know?