Chrome Zero-Day Exploit Posted on Twitter

  • Elizabeth Montalbano--Threatpost
  • published date: 2021-04-13 13:40:51 UTC

An update to Google’s browser that fixes the flaw is expected to be released on Tuesday.

<div class="c-article__content js-reading-content"> <p>A researcher has dropped working exploit code for a zero-day remote code execution (RCE) vulnerability on Twitter, which  he said affects the current versions of Google Chrome and potentially other browsers, like Microsoft Edge, that use the Chromium framework.</p> <p>Security researcher Rajvardhan Agarwal tweeted a  <a href="">GitHub link</a> to the exploit code — the result of the Pwn2Own ethical hacking contest held online last week — on Monday.</p> <p>“Just here to drop a chrome 0day,” Agarwal wrote in his tweet. “Yes you read that right.”</p> <p><a href=""><img loading="lazy" class="aligncenter wp-image-141989 size-full" src="" alt="" width="700" height="50"></a></p> <p><a href="" target="_blank" rel="noopener">Pwn2Own </a>contest rules require that the Chrome security team receive details of the code so they could patch the vulnerability as soon as possible, which they did; the latest version of the Chrome <a href="" target="_blank" rel="noopener">V8 JavaScript engine</a> patches the flaw, Agarwal said in a comment posted in response to his own tweet.</p> <p>However, that patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge and others, leaving them potentially vulnerable to attacks. Google is expected to release a new Chrome version —including security fixes— sometime on Tuesday, though it’s unclear if patches for the bug will be included.</p> <p>As of the time of publication, a Chrome update <a href="" target="_blank" rel="noopener">had not yet been released</a> and Google had not yet replied to an email by Threatpost requesting comment about the flaw and the update.</p> <h2><strong>Not Fully Weaponized</strong></h2> <p>Security researchers Bruno Keith and Niklas Baumstark of Dataflow Security developed the <a href="" target="_blank" rel="noopener">exploit code</a> for a <a href="" target="_blank" rel="noopener">type mismatch</a> bug during last’s week’s contest, and used it to <a href=";" target="_blank" rel="noopener">successfully exploit</a> the Chromium vulnerability to run malicious code inside Chrome and Edge. They received $100,000 for their work.</p> <p>The exploit includes a PoC HTML file that, with its corresponding JavaScript file, can be loaded into a Chromium-based browser in order to launch the Windows calculator (calc.exe) program. Attackers would still need to escape the Chrome browser “<a href="">sandbox</a>,” a security container preventing browser-specific code from reaching the underlying OS, to complete full remote code execution, according to <a href="">a published report</a> from Recorded Future.</p> <p>The researchers seemed surprised that Agarwal posted the exploit on Twitter, with Baumstark tweeting a response to Agarwal’s post on Monday. “Getting popped with our own bugs wasn’t on my bingo card for 2021,” he <a href=";" target="_blank" rel="noopener">tweeted</a>.</p> <p>While the exploit code that Agarwal posted does indeed allow an attacker to run malicious code on a user’s operating system, he apparently was not unscrupulous enough to post a fully weaponized version of the code, according to The Record — he did not post a full exploit chain that would allow sandbox escape.</p> <p>Still, the exploit as posted could still attack services that run embedded/headless versions of Chromium, where sandbox protections aren’t usually enabled, Agarwal told The Record.</p> <p>The 2021 Pwn2Own spring edition, sponsored by Trend Micro’s Zero Day Initiative, was held online last week after organizers published <a href="" target="_blank" rel="noopener">a list of eligible targets</a> for the contest in January. The contest drew multiple teams and included 23 hacking sessions against 10 different products from the list of predefined targets.</p> <p>The teams had 15 minutes to run their exploit code and achieve RCE inside the targeted app, receiving various monetary awards — with $1.5 million in total prize money at stake — for each successful exploit from the contest’s sponsors as well as points towards the overall ranking.</p> <p><strong><em>Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a </em></strong><strong><em><a href=";utm_medium=ART&amp;utm_campaign=April_webinar" target="_blank" rel="noopener">FREE Threatpost event</a></em></strong><strong><em>, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. </em></strong><strong><em><a href=";utm_medium=ART&amp;utm_campaign=April_webinar" target="_blank" rel="noopener">Register here</a></em></strong><strong><em> for the Wed., April 21 LIVE event. </em></strong></p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Chrome Zero-Day Exploit Posted on Twitter" data-url="" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="">Vulnerabilities</a></li> <li><a class="c-label c-label--secondary-transparent" href="">Web Security</a></li> </ul> </div> </div> </footer> </div>