A researcher has made public an exploit and details for an unpatched vulnerability affecting Chrome, Edge and other web browsers that are based on the open source Chromium project. This is the second Chromium proof-of-concept (PoC) exploit released this week.
The second exploit was publicly disclosed by a researcher who uses the online moniker Frust and who works for Chinese cybersecurity company Qihoo 360. Frust announced the availability of an exploit for a “zero-day” Chrome vulnerability on Twitter on Wednesday, and a few hours later published a blog post with a technical description of the vulnerability (in Chinese), which actually exists in the Chromium code.
Mitja Kolsek, CEO of ACROS Security and co-founder of third-party patching service 0patch, has confirmed for SecurityWeek that the vulnerability disclosed by Frust has not been patched in the latest versions of Chrome and Edge that were released this week. Chrome 90 was released on Wednesday, but it does not fix this security hole, for which a CVE identifier has apparently yet to be assigned.
The vulnerability disclosed by Frust, Kolsek said, can be exploited for arbitrary code execution in the browser process by tricking the targeted user into visiting a malicious website. However, it only works if the browser sandbox is disabled or if the attacker combines it with a sandbox escape exploit.
This is the second Chromium vulnerability for which an exploit has been released this week. The first vulnerability was fixed with a Chrome 89 update released by Google on Tuesday. The Chrome update patched two high-severity vulnerabilities tracked as CVE-2021-21206 and CVE-2021-21220.
CVE-2021-21220 is an issue in v8 and it was demonstrated last week at the Pwn2Own 2021 hacking competition by Bruno Keith and Niklas Baumstark of Dataflow Security. Keith and Baumstark earned $100,000 at Pwn2Own after demonstrating a remote code execution exploit that worked against both Edge and Chrome.
However, a few days after the competition ended, 18-year-old researcher Rajvardhan Agarwal made public a PoC exploit for CVE-2021-21220. Agarwal analyzed the changes made by Chromium developers to v8 in response to the vulnerability disclosed by Keith and Baumstark, which enabled him to develop an exploit for it. Google had at that point developed a patch, but it had not been pushed out to regular Chrome users.
Agarwal told SecurityWeek that he released his exploit, which also works only if the Chrome sandbox is disabled or bypassed, to demonstrate that it’s “still possible to develop weaponized exploits during the patch-gapping period.” Frust also pointed out the security risks associated with patch-gapping in his blog post.
Patch-gapping refers to exploiting open source software vulnerabilities that have already been fixed by developers — or are in the process of being patched — before the actual patch is shipped to regular users.
“I find it impressive how quickly someone was able to find these vulnerabilities in Chromium’s public bug tracker and devise an exploit for them,” Kolsek told SecurityWeek.
When it patched CVE-2021-21206 and CVE-2021-21220 on Tuesday, Google said it had been “aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild.”
Microsoft has also patched CVE-2021-21220 in its Edge web browser this week, but the vulnerability disclosed by Frust remains unfixed.
Chrome 90 patches
According to Google, Chrome 90 brings 37 security fixes, including a high-severity use-after-free bug that earned security researchers at Chinese tech company Tencent $20,000. It also addresses a use-after-free flaw discovered by researcher David Erceg, which earned him $10,000.
Two use-after-free bugs in the Blink browser engine were also assigned a high severity rating, earning the reporting researchers $5,000 and $1,000, respectively.
There are also a couple of high-severity vulnerabilities, reported by researchers at Microsoft and Qihoo 360, for which Google has yet to determine a reward. The remaining vulnerabilities patched in Chrome 90 have been rated medium or low severity.