Chrome Zero-Day Exploit Posted

A security researcher has dropped a zero-day remote code execution vulnerability on Twitter that works on the current version of Google Chrome and Microsoft Edge.

A zero-day vulnerability is a security bug that has been publicly disclosed but has not been patched in the released version of the affected software.

Security researcher Rajvardhan Agarwal tweeted a  GitHub link to the exploit code  the result of the Pwn2Own ethical hacking contest held online last week  on Monday.

“Just here to drop a chrome 0day,” Agarwal wrote in his tweet. “Yes you read that right.”

Pwn2Own contest rules require that the Chrome security team receive details of the code so they could patch the vulnerability as soon as possible, which they did; the latest version of the Chrome V8 JavaScript engine patches the flaw, Agarwal said in a comment posted in response to his own tweet.

However, that patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge and others, leaving them potentially vulnerable to attacks. Google is expected to release a new Chrome version  including security fixes sometime on Tuesday, though it’s unclear if patches for the bug will be included.

Agarwal states that the vulnerability is fixed in the latest version of the V8 JavaScript engine, it is not clear when Google will roll out the Google Chrome.

When the PoC HTML file, and its corresponding JavaScript file, are loaded in a Chromium-based browser, it will exploit the vulnerability to launch the Windows calculator (calc.exe) program.

While no developer likes a zero-day release for their software, the good thing is that Agarwal’s zero-day cannot currently escape the browser’s sandbox. The Chrome sandbox is a browser security boundary that prevents remote code execution vulnerabilities from launching programs on the host computer.

For Agarwal’s zero-day RCE exploit to work, it would need to be chained with another vulnerability that can allow the exploit to escape the Chromium sandbox.

Still, the exploit as posted could still attack services that run embedded/headless versions of Chromium, where sandbox protections aren’t usually enabled, Agarwal told The Record.

The 2021 Pwn2Own spring edition, sponsored by Trend Micro’s Zero Day Initiative, was held online last week after organizers published a list of eligible targets for the contest in January. The contest drew multiple teams and included 23 hacking sessions against 10 different products from the list of predefined targets.

The teams had 15 minutes to run their exploit code and achieve RCE inside the targeted app, receiving various monetary awards — with $1.5 million in total prize money at stake — for each successful exploit from the contest’s sponsors as well as points towards the overall ranking.