Chrome Zero-Day Exploit Posted on Twitter – Patch Followed by Similar Exploit Days Later

Chrome Zero-Day Exploit Posted on Twitter - Patch Followed by Similar Exploit Days Later

A rare Chrome zero-day exploit (remote code execution – RCE) was posted on Twitter earlier in April by security researcher, Rajvardhan Agarwal. Accompanying the Tweet was a Github link to the exploit code. The vulnerability affects browsers using the Chromium framework, such as Google Chrome, Microsoft Edge Opera, and Brave – particularly when running on Windows systems.

Said Tweet read, “Just here to drop a chrome 0day. Yes you read that right.”

The original exploit was developed by security researchers Bruno Keith and Niklas Baumstark of Dataflow Security for the Pwn2Own contest that took place in the first week of April. The Tweet revealing the exploit apparently surprised even its original developers with Baumstark replying “Getting popped with our own bugs wasn’t on my bingo card for 2021.”

The two won a $100,000 bounty for their work and the rules of the Pwn2Own contest requires that they share the exploit as soon as possible with Chrome’s security teams to develop a fix.

The incident once again reiterates the importance and effectiveness of using proactive measures to identify and manage security threats. For this purpose, you can use techniques such as ethical hacking and penetration testing.

 

LIFARS’s penetration testing team will test the real-world effectiveness of your security controls while achieving compliance and protecting your brand. Cyberwarfare experts, NATO Offensive Top Security Clearance and ex-NSA are main members of our core team. Our ethical hackers will find weaknesses in your infrastructure, exploit them, and report their findings.

 

How does it work? What is the risk?

As posted, the exploit code consists of a proof-of-concept HTML along with a corresponding JavaScript file. It is loaded into a Chrome browser simply by opening the HTML file in the browser. The exploit uses a type mismatch bug to run malicious code within Chrome and Edge. The PoC version of the codes executes code to launch the Windows calculator (calc.exe) program to illustrate its effectiveness.

Luckily, neither Agarwal nor the original developers released an entirely weaponized version of the exploit. Currently, it’s not fully capable of escaping the Chrome “sandbox,” a security container preventing browser-specific code from reaching the underlying OS. However, it is still capable of running malicious code on the Windows operating system. Additionally, it is able to attack services that run embedded versions of Chromium.

What now? How to protect your Chrome/Windows systems?

The Chromium developers fixed the original vulnerability soon after the researchers reported it to its security team. It was fixed even before the exploit code was exposed on Twitter. However, at that time, the update was not yet propagated downstream to Chromium-based browsers, such as Chrome and Edge.

Commonly called the “open-source patch gap,” it’s just another example of the sometimes significant delays which occur between when a vulnerability is fixed in the underlying open-source framework to when that fix makes its way down to end-user application updates.

This can lead to security fixes for the open-source projects to inadvertently turn into 0-day exploits. In fact, this is exactly how Agarwal managed to recreate Bruno Keith and Niklas Baumstark’s original exploit by spotting the fix in the latest V8 developer update.

The Common Vulnerabilities and Exploits for said exploit is CVE-2021-21220 with the description: “Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.”

A patch was released soon after on 13 April by Chrome with version 89.0.4389.128 for Windows, Mac and Linux which was rolled out over the following weeks.

However, another 0-day exploit PoC was dropped for Chrome a day after the release of this update. CVE-2021-21224 also involves type confusion within the Chromium framework to allow RCE via a crafted HTML page. Chrome subsequently rolled out version 90.0.4430.85 for Windows, Mac and Linux on 20 April with a patch for the new exploit as well as a number of other security issues.

Conclusion

If anything, the whole incident shows the relentlessness of emerging security threats and the variety of ways they can arise. To be truly informed of potential security risks, you need to not only stay up to date with end-user software such as your browsers, but with the vulnerabilities, zero-day exploits, etc. of their upstream software and frameworks.

 

Sources:

Security researcher drops Chrome and Edge exploit on Twitter

Chrome Zero-Day Exploit Posted on Twitter