New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 6 users

Issue metadata

Status: Fixed
User never visited
Closed: Feb 2009

Sign in to add a comment

Issue 23: Inner Sandbox Escape (call memory dereference)

Reported by, Dec 11 2008

Issue description

There's an inner sandbox breakout. Apologies for not listing the versions,
i'm on my way out the door. I tested this on mac os x using the latest and
greatest versions.

When checking calls the disassembler fails to check for memory dereferences. 

  andl $0xffffffe0, %edx\n
  call *(%edx)


  andl $0xffffffe0, %edx\n
  call %edx

Suggested fix:

static void ValidateIndirect5(const struct NCDecoderState *mstate) {

    if (jmpopcode[0] != 0xff) break;
    if ((modrm_reg(mrm) != 2) && (modrm_reg(mrm) != 4)) break;
+    if ((modrm_mod(mrm)) break;
    if (targetreg == kReg_ESP) break;

I've attached the nexe demonstrating this. hownow() code gets executed @
474 KB Download

Comment 1 by, Dec 13 2008

Labels: -Priority-Medium Priority-Critical
Status: Started
Congratulations! This is the first exploitable defect found by somebody outside of
Google! I'd like to send a congratulatory email to the native-client-announce list.
How may I identify you in the announcement?

Comment 2 by, Feb 25 2009

Status: Fixed

Comment 3 by, Jan 29 2010

Labels: -Priority-Critical Pri-0

Sign in to add a comment