28 comments

[ 5.7 ms ] story [ 49.5 ms ] thread
(comment deleted)
(comment deleted)
How does one start acquiring skills like these?
Impressive. Feel like finding issues like this in such a large project is like looking for a needle in a haystack
Kind of life changing money, good to see such rewards
"Decent." was the first word that came into my mind. After a second, I realized that 250,000 USD ist basically 0.00022 % of Alphabet's (Google's?) annual net income [0].

A life changing amount of money for an individual, but nothing more than a small blip on Google's charts. Of course, I'm aware of "budgets" and "departments", and that one simply does not move funds between departments. And while my mind is on the verge of "maybe they should have paid more?", the numbers would mean that even 10x the sum would move the percentage by one decimal. It's wild how much money big corporations have.

I highly applaud the researcher for their tremendous amount of skill and dedication.

[0] https://www.reddit.com/r/google/comments/1lh0pl4/google_is_n...

He had a pretty reliable exploit on the most used browser, pretty sure it he could have gotten more tax free on the black market.

Now, with EDR widely deployed it's likely that the exploit usage ends up being caught sooner than later, but pretty sure some dictatorship intelligence agency would have found all those journalists deep compromise worthwhile...

“ Default disclosure for this issue is 11 August. Opening this issue just five days early for visibility this particular week. :)”

Hello Defcon!

(comment deleted)
Suppose someone wanted to dive into other projects with the ambition of finding high value bugs. Besides chromium what would you recommend or consider? What would be your thought process for deciding what projects to look into?
(comment deleted)
It is unfortunate that there is no web browser in a memory safe language. As I understand, both Chromium and Firefox use C++, although Firefox partly uses Rust. This has put billions of people at risk.
Is there somewhere explaining this bug in terms understandable for someone not dabbling in this?

I don't really understand how this works to "escape the sandbox". Normally it's like a website you visit that get access it shouldn't have. But this talk about renderers and native apis make it seem like it's stuff another process on the computer would do?

It looks like the bug is that there is a way for the renderer (sandboxed) process to trigger the browser (unsandboxed) process to duplicate an arbitrary windows kernel object handle. When you duplicate a handle, you can restrict access, or allow the duplicate to have full access as the original - unfortunately this one is duplicating preserving all the capabilities/access of the original handle.

Now for the POC exploit - it so happens that 0x108 is typically a thread handle for a thread in the browser process. What can you do with a thread handle? You can pause execution of that thread, set its register values (including instruction pointer), resume execution.

If kernel32.dll loads at the same address in each process, we can find some set of instructions in it that write a register's value to another register's address. If we set the instruction pointer to that instruction, we've unlocked the ability to write arbitrary memory in the unsandboxed process.

Finally, we can call other Windows APIs (by finding the address of the function to call and setting instruction pointer to it)- in the POC, they write "calc.exe" to a string, then call the system api to launch calculator.

Impressive speed on rewarding as well. Around 4 weeks.

Lot of companies will sit for months just to acknowledge your submission.

(comment deleted)
I wonder how much the black market would pay for an exploit like that - anyone know?
Does this mean engineers of Google can't fix it?
I didn’t get anything for my JavaScript recursive reference failure defect report a decade ago, but then it also wasn’t a sev1 security compromise defect either.
Of note, this is a logic/timing bug, and Rust would not have prevented this.
Although seeing these bugs fixed and getting rewarded for finding them is great, I still think that Microsoft's idea of virtualising the entire browser process was genius. It also feels better than any "lockdown"-like mode that maybe just disables some JIT engine or two.

I'd really like that on both Linux and macOS.

Are there people who work full time from income on bug bounties?