An update to Google’s browser that fixes the flaw is expected to be released on Tuesday.
A researcher has dropped working exploit code for a zero-day remote code execution (RCE) vulnerability on Twitter, which he said affects the current versions of Google Chrome and potentially other browsers, like Microsoft Edge, that use the Chromium framework.
Security researcher Rajvardhan Agarwal tweeted a GitHub link to the exploit code — the result of the Pwn2Own ethical hacking contest held online last week — on Monday.
“Just here to drop a chrome 0day,” Agarwal wrote in his tweet. “Yes you read that right.”
However, that patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge and others, leaving them potentially vulnerable to attacks. Google is expected to release a new Chrome version —including security fixes— sometime on Tuesday, though it’s unclear if patches for the bug will be included.
As of the time of publication, a Chrome update had not yet been released and Google had not yet replied to an email by Threatpost requesting comment about the flaw and the update.
Not Fully Weaponized
Security researchers Bruno Keith and Niklas Baumstark of Dataflow Security developed the exploit code for a type mismatch bug during last’s week’s contest, and used it to successfully exploit the Chromium vulnerability to run malicious code inside Chrome and Edge. They received $100,000 for their work.
The researchers seemed surprised that Agarwal posted the exploit on Twitter, with Baumstark tweeting a response to Agarwal’s post on Monday. “Getting popped with our own bugs wasn’t on my bingo card for 2021,” he tweeted.
While the exploit code that Agarwal posted does indeed allow an attacker to run malicious code on a user’s operating system, he apparently was not unscrupulous enough to post a fully weaponized version of the code, according to The Record — he did not post a full exploit chain that would allow sandbox escape.
Still, the exploit as posted could still attack services that run embedded/headless versions of Chromium, where sandbox protections aren’t usually enabled, Agarwal told The Record.
The 2021 Pwn2Own spring edition, sponsored by Trend Micro’s Zero Day Initiative, was held online last week after organizers published a list of eligible targets for the contest in January. The contest drew multiple teams and included 23 hacking sessions against 10 different products from the list of predefined targets.
The teams had 15 minutes to run their exploit code and achieve RCE inside the targeted app, receiving various monetary awards — with $1.5 million in total prize money at stake — for each successful exploit from the contest’s sponsors as well as points towards the overall ranking.