Chrome Zero-Day Exploit Posted on Twitter
An update to Google’s browser that fixes the flaw is expected to be released on Tuesday.
<div class="c-article__content js-reading-content"> <p>A researcher has dropped working exploit code for a zero-day remote code execution (RCE) vulnerability on Twitter, which he said affects the current versions of Google Chrome and potentially other browsers, like Microsoft Edge, that use the Chromium framework.</p> <p>Security researcher Rajvardhan Agarwal tweeted a <a href="https://github.com/r4j0x00/exploits/tree/master/chrome-0day">GitHub link</a> to the exploit code — the result of the Pwn2Own ethical hacking contest held online last week — on Monday.</p> <p>“Just here to drop a chrome 0day,” Agarwal wrote in his tweet. “Yes you read that right.”</p> <p><a href="https://threatpost.com/newsletter-sign/"><img loading="lazy" class="aligncenter wp-image-141989 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg" alt="" width="700" height="50"></a></p> <p><a href="https://github.com/r4j0x00/exploits/tree/master/chrome-0day" target="_blank" rel="noopener">Pwn2Own </a>contest rules require that the Chrome security team receive details of the code so they could patch the vulnerability as soon as possible, which they did; the latest version of the Chrome <a href="https://v8.dev/" target="_blank" rel="noopener">V8 JavaScript engine</a> patches the flaw, Agarwal said in a comment posted in response to his own tweet.</p> <p>However, that patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge and others, leaving them potentially vulnerable to attacks. Google is expected to release a new Chrome version —including security fixes— sometime on Tuesday, though it’s unclear if patches for the bug will be included.</p> <p>As of the time of publication, a Chrome update <a href="https://chromereleases.googleblog.com/" target="_blank" rel="noopener">had not yet been released</a> and Google had not yet replied to an email by Threatpost requesting comment about the flaw and the update.</p> <h2><strong>Not Fully Weaponized</strong></h2> <p>Security researchers Bruno Keith and Niklas Baumstark of Dataflow Security developed the <a href="https://github.com/r4j0x00/exploits/commit/7ba55e5ab034d05877498e83f144e187d3ddb160" target="_blank" rel="noopener">exploit code</a> for a <a href="https://excelmacromastery.com/vba-type-mismatch/" target="_blank" rel="noopener">type mismatch</a> bug during last’s week’s contest, and used it to <a href="https://twitter.com/_niklasb/status/1381647525615112195?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1381647525615112195%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fgoogle-chrome-microsoft-edge-zero-day-vulnerability-shared-on-twitter%2F" target="_blank" rel="noopener">successfully exploit</a> the Chromium vulnerability to run malicious code inside Chrome and Edge. They received $100,000 for their work.</p> <p>The exploit includes a PoC HTML file that, with its corresponding JavaScript file, can be loaded into a Chromium-based browser in order to launch the Windows calculator (calc.exe) program. Attackers would still need to escape the Chrome browser “<a href="https://en.wikipedia.org/wiki/Sandbox_(computer_security)">sandbox</a>,” a security container preventing browser-specific code from reaching the underlying OS, to complete full remote code execution, according to <a href="https://therecord.media/security-researcher-drops-chrome-and-edge-zero-day-on-twitter/">a published report</a> from Recorded Future.</p> <p>The researchers seemed surprised that Agarwal posted the exploit on Twitter, with Baumstark tweeting a response to Agarwal’s post on Monday. “Getting popped with our own bugs wasn’t on my bingo card for 2021,” he <a href="https://twitter.com/_niklasb/status/1381647525615112195?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1381647525615112195%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fgoogle-chrome-microsoft-edge-zero-day-vulnerability-shared-on-twitter%2F" target="_blank" rel="noopener">tweeted</a>.</p> <p>While the exploit code that Agarwal posted does indeed allow an attacker to run malicious code on a user’s operating system, he apparently was not unscrupulous enough to post a fully weaponized version of the code, according to The Record — he did not post a full exploit chain that would allow sandbox escape.</p> <p>Still, the exploit as posted could still attack services that run embedded/headless versions of Chromium, where sandbox protections aren’t usually enabled, Agarwal told The Record.</p> <p>The 2021 Pwn2Own spring edition, sponsored by Trend Micro’s Zero Day Initiative, was held online last week after organizers published <a href="https://www.zerodayinitiative.com/blog/2021/1/25/announcing-pwn2own-vancouver-2021" target="_blank" rel="noopener">a list of eligible targets</a> for the contest in January. The contest drew multiple teams and included 23 hacking sessions against 10 different products from the list of predefined targets.</p> <p>The teams had 15 minutes to run their exploit code and achieve RCE inside the targeted app, receiving various monetary awards — with $1.5 million in total prize money at stake — for each successful exploit from the contest’s sponsors as well as points towards the overall ranking.</p> <p><strong><em>Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a </em></strong><strong><em><a href="https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar" target="_blank" rel="noopener">FREE Threatpost event</a></em></strong><strong><em>, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. </em></strong><strong><em><a href="https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar" target="_blank" rel="noopener">Register here</a></em></strong><strong><em> for the Wed., April 21 LIVE event. </em></strong></p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Chrome Zero-Day Exploit Posted on Twitter" data-url="https://threatpost.com/chrome-zero-day-exploit-twitter/165363/" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/vulnerabilities/">Vulnerabilities</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/web-security/">Web Security</a></li> </ul> </div> </div> </footer> </div>
