Chrome安全已不是神話 沙盒被攻破
來自法國的安全研究機構VUPEN宣稱他們突破了chrome的沙箱保護,ASLR/DEP保護也一同被突破。VUPEN宣稱漏洞代碼將不會被公布,只會提供給他們的政府合作伙伴,所以我們并不清楚chrome的開發團隊是否被通知漏洞信息。
下面是他們的聲明:
Hi everyone,
We are (un)happy to announce that we have officially Pwnd Google Chrome and its sandbox.
The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).
The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level.
While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any installation of Chrome despite its sandbox, ASLR and DEP.
This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services.
這個聲明的大致意思是:VUPEN已經攻破了Goggle的Chrome瀏覽器,并且是在沒有利用Windows本身的內核漏洞的情況下繞過了Chrome中的所有安全機制,并且可以實現完全無聲的入侵。聲明中還指出,出于安全原因,利用代碼和潛在漏洞的技術細節不會被公開披露。它們只與政府客戶分享漏洞研究作為服務的一部分。
原文地址:http://www.vupen.com/demos/VUPEN_Pwning_Chrome.php
【編輯推薦】
