ndays are also 0days: Can hackers launch 0day RCE attack on popular softwares only with chromium ndays?

Presented at DEF CON 31 (2023), Aug. 12, 2023, 3:30 p.m. (45 minutes).

Chromium is not only the most popular browser in the world but also one of the most widely integrated supply chain components. Nowadays, a large number of popular software is built on frameworks based on Chromium, such as CEF and Electron. This means that vulnerabilities in Chromium will directly affect popular software. In addition, according to Google's vulnerability disclosure policy, most of the details of Chromium vulnerabilities will be publicly disclosed 14 weeks after being fixed, and many of these vulnerabilities are high-impact and may lead to RCE. Unfortunately, we have found that much downstream software is unable to timely fix the Chromium vulnerabilities. This creates a window of opportunity for attackers to carry out RCE attacks on popular software. The cost for attackers to exploit these vulnerabilities during this window is relatively low, as it falls between the time of the Chromium vulnerability disclosure and the completion of fixes for popular software. We refer to this window as the "RCE window period". In this topic, we will first evaluate the "RCE window period" of more than 20 popular software. In the upcoming section, we will showcase how to transform Chromium nday vulnerabilities into popular software 0day vulnerabilities in a low-cost manner within the "RCE window period". To illustrate this process, we will use over 10 RCE 0day vulnerabilities in popular software that we have discovered as examples. Some software will attempt to enable sandbox to mitigate this problem, so we will also provide examples of how to bypass the sandbox by exploiting vulnerabilities in the software itself rather than a Chromium sandbox bug. Finally, we will discuss the reasons for the existence of the RCE window period and the lessons learned from it, hoping to help software developers improve the security of their products. REFERENCES: [1] https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html [2] https://bugs.chromium.org/p/chromium/issues/list?q=Type%3DBug-Security&can=2 [3] https://bitbucket.org/chromiumembedded/cef/wiki/GeneralUsage [4] https://www.electronjs.org/docs/latest/ [5] https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Junyu-Zhou-and-Ce-Qin-and-Jianing-Wang-Web2Own-Attacking-Desktop-Apps-From-Web-Securitys-Perspective.pdf [6] https://i.blackhat.com/USA-22/Thursday/US-22-Purani-ElectroVolt-Pwning-Popular-Desktop-Apps.pdf [7] https://plugins.jetbrains.com/docs/intellij/jcef.html [8] https://medium.com/@ethicalkid/recent-burp-rce-zeroday-df39b1b24230 [9] https://crbug.com/1307610 [10] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libselinux/src/android/android_seapp.c [11] https://security.googleblog.com/2021/07/protecting-more-with-site-isolation.html

Presenters:

  • Bohan Liu - Senior Security Researcher at Tencent Security Xuanwu Lab
    Bohan Liu (@P4nda20371774) is a senior security researcher at Tencent Security Xuanwu Lab. He focuses on browser security research and has discovered multiple Chrome vulnerabilities. He also presented his research results on Kanxue SDC and Black Hat Asia.
  • Zheng Wang - Senior Security Researcher at Tencent Security Xuanwu Lab
    Zheng Wang (@xmzyshypnc) is a senior Security Researcher at Tencent Security Xuanwu Lab. He's mainly engaged in browser and linux kernel security. He is also a speaker attending in Black Hat Asia 2023.
  • GuanCheng Li - Senior Security Researcher at Tencent Security Xuanwu Lab
    Guancheng Li (@atuml1) is a senior researcher at Tencent Security Xuanwu Lab. His research interests are focused on software and system security, IoT security, software engineering and AI. He is also a founder and former captain of r3kapig CTF Team.

Links:

Similar Presentations: