December 21, 2014

The difference between an expoit and vulnerability

(LiveHacking.Com) – Any reader of this blog will inevitably come across words like vulnerability, exploit, malware, Trojan and so on. Some of these words have connected meanings but in themselves they have clear and separate definitions.  For example a Trojan is a type of malware, but not all malware is a Trojan. What about ‘vulnerability’ and ‘exploit’, are they they same thing? If not, what is the connection?

A vulnerability is a flaw in a system, or in some software in a system, that could provide an attacker with a way to bypass the security infrastructure of the host operating system or of the software itself. It isn’t an open door but rather a weakness which if attacked could provide a way in.

Exploiting is the act of trying to turn a vulnerability (a weakness) into an actual way to breach a system. A vulnerability can therefore be ‘exploited’ to turn it into viable method to attack a system.

In software (rather than whole systems including the people, the computers, the firewalls and the networks etc), the most common type of vulnerability is a memory error. These can be buffer overflows, heap corruptions or NULL pointer de-references. Once a memory issue has been discovered an attacker will try to exploit it by manipulating how the memory is corrupted in the hope to alter some aspect of the addressing (maybe a return address). This can then be used to make the CPU run code in another part of memory. If arbitrary code execution is achieved then the system can be exploited. The extent of the exploit will depend on the nature of the vulnerability,  if privilege elevation was achieved and the extent of technologies such as sand-boxing or address space layout randomization (ASLR).

Turning a software vulnerability into an exploit can be hard. Google, for example, rewards security researchers for finding vulnerabilities in its Chrome web browser. The payouts Google make are in the range of $500 to $3000. However it also runs competitions for security specialists to present exploited vulnerabilities. These exploits are rewarded much larger sums, as much as $60,000. The difference in payouts reflects the magnitude of the task when trying to exploit a vulnerability.

Google Hands Out $4500 in Rewards for Chrome 17.0.963.83

(LiveHacking.Com) – Google has released Chrome 17.0.963.83 to fix several ‘High’ level security bugs. In doing so it handed out $4500 to security researchers who found and reported security related bugs in Google’s web browser. The new update also include the start of hardening measures based on study of the exploits submitted to the Pwnium competition.

Security fixes and rewards:

  • [$1000] [113902] High CVE-2011-3050: Use-after-free with first-letter handling. Credit to miaubiz.
  • [116162] High CVE-2011-3045: libpng integer issue from upstream. Credit to Glenn Randers-Pehrson of the libpng project.
  • [$1000] [116461] High CVE-2011-3051: Use-after-free in CSS cross-fade handling. Credit to Arthur Gerkis.
  • [116637] High CVE-2011-3052: Memory corruption in WebGL canvas handling. Credit to Ben Vanik of Google.
  • [$1000] [116746] High CVE-2011-3053: Use-after-free in block splitting. Credit to miaubiz.
  • [117418] Low CVE-2011-3054: Apply additional isolations to webui privileges. Credit to Sergey Glazunov.
  • [117736] Low CVE-2011-3055: Prompt in the browser native UI for unpacked extension installation. Credit to PinkiePie.
  • [$2000] [117550] High CVE-2011-3056: Cross-origin violation with “magic iframe”. Credit to Sergey Glazunov.
  • [$500] [117794] Medium CVE-2011-3057: Invalid read in v8. Credit to Christian Holler.

Google also listed a low severity issue that was fixed in a previous patch but the company had forgotten to issue a proper credit:

  • [108648] Low CVE-2011-3049: Extension web request API can interfere with system requests. Credit to Michael Gundlach.

Note that the referenced bugs may be kept private until a majority of Chrome users are up to date with the fix.

 

Google Updates Chrome and then Updates it Again

(LiveHacking.Com) – Google has released two quick successive updates to its Chrome browser following multiple vulnerabilities found and exploited during Pwnium. In recent years Google has sponsored rewards for Chrome exploits demonstrated during the CanSecWest security conference, and this year was no different. The idea is to rewards those that develop a fully functional exploit as to do so is significantly more work than just finding and reporting a potential security bug. Google made a pot available of $1,000,000 with the top prize being $60,000 for a full Chrome exploit demonstrated on a fully patched Windows 7 machine.

The first release by Google was 17.0.963.78 to fix a vulnerability discovered by Sergey Glazunov. The critical vulneravility, which used errors in the UXSS and the handling of history data, earned Sergey the top amount of $60,000.

Two days later Google issued 17.0.963.79 to fix a vulnerability found by PinkiePie (aka PwniePie) for an errant plug-in load and GPU process memory corruption. Jason Kersey from the Google Chrome team is quoted as calling the exploit “a beautiful piece of work.”

The full list of changes as listed by Google are:

  • [Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.
  • [Like a b-b-b-b-boss!!! $60,000] [117620] [117656] Critical CVE-2011-3047: Errant plug-in load and GPU process memory corruption. Credit to PinkiePie.

We’re delighted at the success of Pwnium and the ability to study full exploits. We anticipate landing additional changes and hardening measures for both CVE-2011-3046 and CVE-2011-3047 in the near future. We also believe that both submissions are works of art and deserve wider sharing and recognition. We plan to do technical reports on both Pwnium submissions in the future.