A Tale of Two Pwnies (Part 1) (opens in new tab)

(blog.chromium.org)

253 pointstkazec14y ago78 comments

78 comments

36 comments · 11 top-level

moistgorilla14y ago· 8 in thread

This really takes you into the mind of a hacker(the malicious kind). Judging from what I saw it seems they combine a ton of small exploits to produce a major security breach. The amount of understanding of the underlying system you need to have in order to put these exploits together is mind boggling.

What do we do against people like this?

lawnchair_larry14y ago

I don't like how you vilify him and call him malicious. Nothing about this was malicious. He even gave it to google for far less than it was worth. This was a legitimate audit and demonstration and it is wrong to associate anything negative with it.

What do we do against people like this?

You're asking the wrong question. Remember, he didn't put those bugs there. He didn't break anything. It was already broken. He just found the hole by reading exactly what you gave him.

What you should be asking is, how do we stop making software with vulnerabilities. The goal is to make it so that there is no hole to find, not to get rid of the hole-finders.

shmageggy14y ago

Just to play angel's advocate, your parent could have been referring to an abstract malicious hacker, who would probably think the same way and use the same techniques as Pinky. The "mind of a hacker (the malicious kind)" is probably very much like the mind of Pinky, except for the parts governing ethics. And he asks what to do "against people like this", not what to do against Pinky himself.

But you are right, and it is valuable to point out that neither Pinky nor Homakov nor any other talented whitehat are in no way malicious.

JamesLeonis14y ago

IMHO, as Pinkie demonstrated, there isn't anything foolproof that you can do against a malicious hacker. Having sponsored and/or incentives for white hat hackers to find and report exploits seems to be the best answer.

If this stance were adopted into the wider software development community, would it turn more black hat hackers into white hats?

EDIT: grammar

TheBoff14y ago

Pay them to find the bugs!

skeletonjelly14y ago

Just don't let them run out of bugs to find, or get bored :P

1 more reply

rgoddard14y ago

Honestly, the overall process reminds me of what I do some days trying to automate processes which were not designed to be automated. I know what I want to do, I just have to figure out how, step by small step, using things not in the way they were intended to be used.

lucian190014y ago

The term you're looking for is "cracker".

lawnchair_larry14y ago

No, crackers defeat software protections. No one in the security industry (legitimate or otherwise), uses the term cracker for anything other than that, despite what Eric S Raymond et al would like you to believe.

tptacek14y ago· 7 in thread

What's amazing about this bug is that at every step you learn something that makes Pinkie Pie more terrifying while simultaneously making the Chrome security model sound more and more forbidding.

Natsu14y ago

And the worst is yet to come....

---

In an upcoming post, we’ll explain the details of Sergey Glazunov’s exploit, which relied on roughly 10 distinct bugs. While these issues are already fixed in Chrome, some of them impact a much broader array of products from a range of companies. So, we won’t be posting that part until we’re comfortable that all affected products have had an adequate time to push fixes to their users.

emmelaich14y ago

I'm looking forward to that one too.

Previous reference on hackernews here: http://news.ycombinator.com/item?id=3682664

obtu14y ago

I was wondering what was taking them so long, as I recall the blogposts at the time promised that disclosure and a postmortem would come “soon”. Now that we have some detail I'm lapping it up.

zobzu14y ago

The post is great in itself (clear and easy) but the constant marketing speech about how great Chrome is regardless of the bugs gets on my nerves to be honest. Yes Chrome is a very good browser, but I don't have to read that every paragraph in various forms... specially for tech articles.

It also looks like to me that devs commit code in a more lazy way since Chrome has a strong sandbox model for various components. But as a result, it seems easier to find many bugs that, when combined, bypass the sandbox, as show.

Just my 2cts ;-)

1 more reply

pcwalton14y ago

Except for the memory corruption part. When reading that, I'm more aghast that we're still dealing with these basic bugs like "out of bounds array write leads to ROP chain that executes arbitrary code in the process". That just makes me feel even more that huge million-line codebases of C++, even well-engineered code like Chrome, cannot be trusted, because of the fundamental flaws in the C++ memory model for code that must be secure.

architgupta14y ago

The other thing I wonder about is that in 2040, will we be still worrying about buffer overflows?

tptacek14y ago

I really doubt that we'll be using programming environments where memory corruption is possible in 2040.

2 more replies

mark-r14y ago· 4 in thread

If you don't have a young girl you might not appreciate the link between "Pinkie Pie" and "Pwnie": http://mlp.wikia.com/wiki/Pinkie_Pie

lotharbot14y ago

> "If you don't have a young girl"

Most of my recent MLP exposure is through my 20-something brother. Apparently he's in one of the larger demographics for the modern show. See http://en.wikipedia.org/wiki/My_Little_Pony:_Friendship_Is_M...

CrazedGeek14y ago

Somewhat OT, but the show has a fairly sizable periphery demographic (males 13-35), which I would guess the hacker considers himself a part of. More information: http://knowyourmeme.com/memes/subcultures/my-little-pony-fri...

btown14y ago

Pinkie's not the only brony hacker either. Consider this Rainbow Dash fan: http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_c... ... and in general, there are a plethora of bronies scattered across the startup world and CS academia (full disclosure: myself included).

Zirro14y ago

Or perhaps not: https://secure.wikimedia.org/wikipedia/en/wiki/My_Little_Pon... :)

Considering that he is a teenage hacker, it's likely that he is a Brony himself.

jorgem14y ago· 3 in thread

So crazy. I wonder how long it took to come up with that attack? There must have been a ton of dead ends along the way.

wizzard14y ago

Well, if you start from the last step (I want to load an NPAPI extension because I can gain control from one) and work backwards it seems a little less like stumbling in the dark.

I liked the confirmation prompt bug though, that was icing on the cake.

jorgem14y ago

Backwards... smart!

rpicard14y ago

> A teenage hacker who identified himself only as PinkiePie said he spent the past week and a half working on the attack.

Source: http://arstechnica.com/business/2012/03/googles-chrome-brows...

pilif14y ago· 2 in thread

In the end it all boiled down to old-style plugins. All the exploits were used to finally install and run an old-style NPAPI plugin.

Just like ActiveX, these are binary code that usually runs outsidE of any sandboxing due to compatibility reasons.

With NaCL or just the advances in HTML and related technologies, this kind of plugin really should have outlived its usefulness by now and maybe it's time to drop support - at least support for all plugins but a few whitelisted ones from the older ages.

Like Flash and maybe QuickTime (though both have a terrible security track record).

Though considering the persistence of piling up bugs that was happening here, for all we know, there would have been a different exploit somewhere else that could have worked even without NPAPI. It would just close one more attack surface.

aboodman14y ago

Wait until you see the other one. There are a surprising and depressing number of ways to get a browser to run native code on legacy operating systems.

Yes, plugins should go away. No, that won't stop this kind of thing :/.

Arelius14y ago

Let's be fair here, This particular bug used an NPAPI installation to finally get full access, but there many other significant breaches of security previous to this, it seems that the final step, was likely one with the most potential vulnerabilities, with NPAPI just being the easiest to install the payload.

thereason14y ago· 1 in thread

"a low level interface to the GPU command buffer"

This sounds cool. Is this a standard feature in Chrome?

obtu14y ago

It's available for extensions I think (there's also the higher-level WebGL which you must be aware of), and requires whitelisted graphic drivers. As you can see, graphic acceleration offers a huge attack surface (memory-unsafety in C++ code, plus logic bugs at highly privileged levels like graphic drivers, firmware, and the hardware itself). Some of these layers realistically won't be protected until they have proper IOMMU support.

picklefish14y ago

I'd love to see a writeup from Pinkie Pie on the steps and tools he used to find these bugs. Reversing write-ups are always entertaining to read.

Jun814y ago

So for about $120K+ they had more than 16 significant bugs discovered in Chromium. That's really cheap!

cnbeuiwx14y ago

This is a real hacker. I wish I had this kind of passion and intelligence myself. :)

jtchang14y ago

It is scary that once you have a foothold it just becomes a matter of time until someone figures out how to use it to piggyback on to more unrestricted space.

tobyjsullivan14y ago

Just... sick! Wow. Speechless.

j / k navigate · click thread line to collapse

78 comments

36 comments · 11 top-level

moistgorilla14y ago· 8 in thread

What do we do against people like this?

lawnchair_larry14y ago

What do we do against people like this?

You're asking the wrong question. Remember, he didn't put those bugs there. He didn't break anything. It was already broken. He just found the hole by reading exactly what you gave him.

What you should be asking is, how do we stop making software with vulnerabilities. The goal is to make it so that there is no hole to find, not to get rid of the hole-finders.

shmageggy14y ago

But you are right, and it is valuable to point out that neither Pinky nor Homakov nor any other talented whitehat are in no way malicious.

JamesLeonis14y ago

If this stance were adopted into the wider software development community, would it turn more black hat hackers into white hats?

EDIT: grammar

TheBoff14y ago

Pay them to find the bugs!

skeletonjelly14y ago

Just don't let them run out of bugs to find, or get bored :P

1 more reply

rgoddard14y ago

lucian190014y ago

The term you're looking for is "cracker".

lawnchair_larry14y ago

tptacek14y ago· 7 in thread

What's amazing about this bug is that at every step you learn something that makes Pinkie Pie more terrifying while simultaneously making the Chrome security model sound more and more forbidding.

Natsu14y ago

And the worst is yet to come....

---

emmelaich14y ago

I'm looking forward to that one too.

Previous reference on hackernews here: http://news.ycombinator.com/item?id=3682664

obtu14y ago

I was wondering what was taking them so long, as I recall the blogposts at the time promised that disclosure and a postmortem would come “soon”. Now that we have some detail I'm lapping it up.

zobzu14y ago

Just my 2cts ;-)

1 more reply

pcwalton14y ago

architgupta14y ago

The other thing I wonder about is that in 2040, will we be still worrying about buffer overflows?

tptacek14y ago

I really doubt that we'll be using programming environments where memory corruption is possible in 2040.

2 more replies

mark-r14y ago· 4 in thread

If you don't have a young girl you might not appreciate the link between "Pinkie Pie" and "Pwnie": http://mlp.wikia.com/wiki/Pinkie_Pie

lotharbot14y ago

> "If you don't have a young girl"

CrazedGeek14y ago

btown14y ago

Zirro14y ago

Or perhaps not: https://secure.wikimedia.org/wikipedia/en/wiki/My_Little_Pon... :)

Considering that he is a teenage hacker, it's likely that he is a Brony himself.

jorgem14y ago· 3 in thread

So crazy. I wonder how long it took to come up with that attack? There must have been a ton of dead ends along the way.

wizzard14y ago

Well, if you start from the last step (I want to load an NPAPI extension because I can gain control from one) and work backwards it seems a little less like stumbling in the dark.

I liked the confirmation prompt bug though, that was icing on the cake.

jorgem14y ago

Backwards... smart!

rpicard14y ago

> A teenage hacker who identified himself only as PinkiePie said he spent the past week and a half working on the attack.

Source: http://arstechnica.com/business/2012/03/googles-chrome-brows...

pilif14y ago· 2 in thread

In the end it all boiled down to old-style plugins. All the exploits were used to finally install and run an old-style NPAPI plugin.

Just like ActiveX, these are binary code that usually runs outsidE of any sandboxing due to compatibility reasons.

Like Flash and maybe QuickTime (though both have a terrible security track record).

aboodman14y ago

Wait until you see the other one. There are a surprising and depressing number of ways to get a browser to run native code on legacy operating systems.

Yes, plugins should go away. No, that won't stop this kind of thing :/.

Arelius14y ago

thereason14y ago· 1 in thread

"a low level interface to the GPU command buffer"

This sounds cool. Is this a standard feature in Chrome?

obtu14y ago

picklefish14y ago

I'd love to see a writeup from Pinkie Pie on the steps and tools he used to find these bugs. Reversing write-ups are always entertaining to read.

Jun814y ago

So for about $120K+ they had more than 16 significant bugs discovered in Chromium. That's really cheap!

cnbeuiwx14y ago

This is a real hacker. I wish I had this kind of passion and intelligence myself. :)

jtchang14y ago

It is scary that once you have a foothold it just becomes a matter of time until someone figures out how to use it to piggyback on to more unrestricted space.

tobyjsullivan14y ago

Just... sick! Wow. Speechless.

j / k navigate · click thread line to collapse