Security Research
Showing results for 
Search instead for 
Do you mean 

Chrome on a Nexus 4 and Samsung Galaxy S4 falls

Heather_Goudey on ‎11-13-2013 10:23 PM

Day two of Mobile Pwn2Own and after a quiet morning wondering whether the remaining registered contestants would be ready, we had another competitor enter the fray to take a stab at Chromium on the Nexus 4.


After an initial delay where we ensured that the targeted device was configured appropriately, again, within minutes, we had witnessed a successful exploit on two different devices and were ready to pay $50,000 USD for the privilege. Pinkie Pie compromised Chrome on both a Nexus 4 and a Samsung Galaxy S4 just for good measure.


The exploit took advantage of two vulnerabilities - an integer overflow that affects Chrome and another Chrome vulnerability that resulted in a full sandbox escape. The implications for this vulnerability are the possibility of remote code execution on the affected device. 


After demonstrating on the Nexus 4, Pinkie Pie turned his attentions to the Samsung Galaxy S4 and within moments it had fallen as well, to be met with applause from the watching crowd.


Similar to the exploits we saw on day one of our contest, in order for the user’s device to be successfully compromised, they would need to be enticed to visit a malicious site in order to be exposed to the malicious code. Again the attack depends on first compromising the user to get them to take an action (e.g. clicking a link in an email, or an SMS or on another web page) and then compromising the device by exploiting these vulnerabilities. The final outcome would be the remote execution of code of an attacker’s choice.


This vulnerability has been disclosed to Google who is working to address.

0 Kudos
About the Author

Heather_Goudey

Comments
infotech review
on ‎01-21-2014 09:41 AM

Thank for sharing information on research Nexus and Samsung

Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all