Pwn2Own is an ethical hacking competition where security researchers and hackers alike come together to attempt to exploit vulnerabilities in popular applications and devices. Successfully exploiting a vulnerability is what Michael Scott would call a win-win-win situation. The contestant gets a significant cash prize award. The vendor with the vulnerability gets to patch the exploit before it reaches the public. Consumers get to continue living in blissful ignorance. Well, that’s usually the case unless somebody decides to reverse engineer the exploit and releases it on Twitter before a patch is released, which is what happened in this case. And we were so close to blissful ignorance.
Rajvardhan Agarwal, a security researcher, appears to have reverse-engineered a Chromium exploit discovered by the security researchers Bruno Keith and Niklas Baumstark of Dataflow Security during the recent 2021 Pwn2Own competition. After obtaining the exploit, Rajvardhan did what most people probably wish he wouldn’t have done, which is release the exploit to the public.
On Monday, April 12th, Rajvardhan tweeted a link to a GitHub page containing the exploit for all to see and use. The exploit, which appears to affect all Chromium browsers, including Google Chrome and Microsoft Edge, uses a type mismatch bug to allow attackers to run malicious code on affected systems.
Ethical hacking contests are nothing new. Def Con, one of the world’s largest hacker conventions, has been going strong since 1993, which means hacking conventions have been around almost as long as the internet. While the term hacking usually makes people think of bad (or totally rad) movies, ransomware, and their grandmas getting scammed for BestBuy gift cards, ethical hacking is actually very beneficial for consumers. Ethical hacking is a good way for vendors to ensure their products are as secure as possible, and they are usually more than willing to pay people for their efforts.
So how are these exploits kept safe from being released to the public?
The rules of Pwn2Own require successful contestants to provide full details of the vulnerabilities and exploitations to the sponsor, which in this case was Trend Micro. The detailed information of the exploits then becomes the sponsor’s property, after which the sponsor provides the information to the affected vendor. The vendor is then given time to patch the affected systems before the exploit is made known to the public. This information is detailed in section 5, “Winner Selection” of Pwn2Own’s rules.
“Upon successful demonstration of the exploit, the contestant will provide Sponsor with a fully functioning exploit plus a whitepaper explaining the vulnerabilities and exploitation techniques used in the entry. In the case that multiple vulnerabilities were exploited to gain code execution, details about all of the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prizes. Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors and the exploits and whitepapers will become the property of the Sponsor in accordance with the ZDI researcher agreement.”
So if these conventions and contests have been around for so long, how did this get released as a zero-day?
Vendors are well aware of the patch gap. Chrome initially had a patch gap of 33 days. In 2019, Chrome’s security team lowered the patch gap to 15 days by offering product releases every two weeks. More frequent releases drastically reduce the risk with patch gap exploits; however, attackers are also getting faster at exploiting vulnerabilities.
At the time of this writing, no Chrome or Edge updates have been released to address this exploit. That doesn’t mean it’s time to stop using your favorite chromium browsers, though. Thankfully, the zero-day exploit isn’t fully capable of exploiting a user’s system in its current form. An attacker would still need to get past Chromium's sandbox, which is a security container designed to block browser-specific code from interacting with the operating system. With that in mind, keep an eye out for upcoming patches to make sure your systems are protected.
Whether or not Agarwal should have released this exploit to the public, knowing that the patch hasn’t made it to production yet doesn’t really matter at this point. If he didn’t, somebody else might have. What’s done is done, and this event serves as a stark reminder of the risks associated with the patch gap.
If you want to be informed when the patch for this exploit has officially made it to production, consider bookmarking this article, and we’ll provide an update when the patch is released. If you want to stay informed about the latest IT news, subscribe to PDQ.com’s blog as we cover everything from PowerShell and security news to product tips and guides.