Excessive ROP Exploits in Chrome

Anyone getting excessive ROP Exploits in Chrome?  Just in the past hour I've gotten 6 pop-ups about it and then another from Outlook (just opening a calendar item).

 

I am running the beta so it could be related to that.

 

Core Agent: 2.2.0 Beta

Endpoint Advanced: 10.8.3 Beta

Sophos Intercept X: 2.0.8

Google Chrome: 70.0.3538.77 (64-bit)

OS: Windows 7 Professional SP1 (64-bit)

  • Getting ROP as well.. different users, PC types etc - always seems to be for Chrome - Is there plan to fix this?

     

  • Hi Breakingcustom,

    Can you please confirm the Sophos Intercept X version? and if you are still seeing the same issue as mentioned in the below advisory for both the chrome and the office applications.

    ROP Exploit - Chrome Advisory - If you are seeing the ROP detections when streaming media from websites.

    ROP Exploit - Office 2013 - This is only seen with Intercept X 2.0.9 (Which was rolled back).

    In case if your issue is different from the above advisory, please follow this KBA and it would require a support ticket to be opened to investigate it further.

  • In reply to Gowtham Mani:

    Thanks Gowtham. 

    It's probably related to: ROP Exploit - Chrome Advisory

  • In reply to Gowtham Mani:

    Wouldn't be applicable to the Chrome Advisory since I'm running v70.  I'm also running 2.0.8 for InterceptX.

     

    This is the output from one of the errors in Hitman:

     

    Mitigation ROP

    Platform 6.1.7601/x64 v756 06_3c
    PID 17860
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 70

    Callee Type AllocateVirtualMemory
    0x000004E02A784000 (503808 bytes)

    Branch Trace Opcode To
    ---------------------------------------- -------- ----------------------------------------
    0x000007FEA40737A0 chrome_child.dll RET 0x000007FEA4087C4B chrome_child.dll

    0x000007FEA7D45566 chrome_child.dll RET 0x000007FEA4073798 chrome_child.dll

    0x000007FEA3FE6515 chrome_child.dll RET 0x000007FEA4073788 chrome_child.dll

    0x000007FEA40737A0 chrome_child.dll RET 0x000007FEA4087C36 chrome_child.dll

    0x000007FEA7D45566 chrome_child.dll RET 0x000007FEA4073798 chrome_child.dll

    0x000007FEA3FE6515 chrome_child.dll RET 0x000007FEA4073788 chrome_child.dll

    0x000007FEA40737A0 chrome_child.dll RET 0x000007FEA4087BBF chrome_child.dll

    0x000007FEA7D45566 chrome_child.dll RET 0x000007FEA4073798 chrome_child.dll

    0x000007FEA3FE6515 chrome_child.dll RET 0x000007FEA4073788 chrome_child.dll

    RtlAcquireSRWLockExclusive +0x25 RET* 0x000000013FB3BD51 chrome.exe
    0x0000000076FCB945 ntdll.dll
    4989d8 MOV R8, RBX
    4989f9 MOV R9, RDI
    e8a46df9ff CALL 0x13fad2b00
    4c89f1 MOV RCX, R14
    4889f2 MOV RDX, RSI
    e809fbffff CALL 0x13fb3b870
    488b442458 MOV RAX, [RSP+0x58]
    4883f810 CMP RAX, 0x10
    7236 JB 0x13fb3bda8
    488b4c2440 MOV RCX, [RSP+0x40]
    488d5001 LEA RDX, [RAX+0x1]
    4881fa00100000 CMP RDX, 0x1000
    721f JB 0x13fb3bda3
    488b59f8 MOV RBX, [RCX-0x8]
    4883c1f8 ADD RCX, -0x8
    4829d9 SUB RCX, RBX
    (8138B6F283429F81)


    WaitForMultipleObjects +0xdf ~ RET* 0x000000013FB0242B chrome.exe
    0x0000000076EA06EF kernel32.dll
    0b00 OR EAX, [RAX]
    4889442460 MOV [RSP+0x60], RAX
    48c74424680b000000 MOV QWORD [RSP+0x68], 0xb
    48837e380f CMP QWORD [RSI+0x38], 0xf
    4c89e0 MOV RAX, R12
    7604 JBE 0x13fb02449
    488b4620 MOV RAX, [RSI+0x20]
    4889442450 MOV [RSP+0x50], RAX
    488b4630 MOV RAX, [RSI+0x30]
    4889442458 MOV [RSP+0x58], RAX
    4531c0 XOR R8D, R8D
    488d4c2450 LEA RCX, [RSP+0x50]
    488d542460 LEA RDX, [RSP+0x60]
    e8d776fcff CALL 0x13fac9b40
    84c0 TEST AL, AL
    (4F8A19382F7C5869)


    GetCurrentProcess +0x96 ~ RET WaitForMultipleObjects +0xb0
    0x000007FEFCEA1486 KernelBase.dll 0x0000000076EA06C0 kernel32.dll

    NtWaitForMultipleObjects +0xa ~ RET GetCurrentProcess +0x40
    0x0000000077019E3A ntdll.dll 0x000007FEFCEA1430 KernelBase.dll

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 000007FEFCEA1945 KernelBase.dll VirtualAlloc +0x45

    2 000007FEA581E23D chrome_child.dll
    4885c0 TEST RAX, RAX
    0f95c0 SETNZ AL
    4883c428 ADD RSP, 0x28
    c3 RET

    3 000007FEA408783C chrome_child.dll
    4 000007FEA4087C10 chrome_child.dll
    5 000007FEA4087B20 chrome_child.dll
    6 000007FEA4087897 chrome_child.dll
    7 000007FEA431DA51 chrome_child.dll
    8 000007FEA431D768 chrome_child.dll
    9 000007FEA431D661 chrome_child.dll
    10 000007FEA562A6D2 chrome_child.dll

    Code Injection
    0000000000060000-0000000000061000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7524]
    000000000007B000-000000000007C000 4KB
    0000000077019000-000000007701A000 4KB
    000000007701A000-000000007701B000 4KB
    000000013FBE8000-000000013FBE9000 4KB
    000000013FBE5000-000000013FBE6000 4KB
    0000000000080000-0000000000081000 4KB
    000000013FBE1000-000000013FBE2000 4KB
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7524]
    2 C:\Windows\explorer.exe [7328]
    3 C:\Windows\System32\userinit.exe [8076]

    Process Trace
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [17860]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,13093351916193068832,17641892205845941666,131072 --service-pipe-token=2819091101584101300 --lang=en-US --enable-offline-auto-reload --enable-offline-aut
    2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7524]
    3 C:\Windows\explorer.exe [7328]
    4 C:\Windows\System32\userinit.exe [8076]

    Thumbprint
    200b474c46ad54be426ea4365fdc9bf06e9c2392664e3949b3fe460d4ebc8080

  • In reply to Breakingcustom:

    I just checked and most of these are also occurring on Chrome 70. 

  • In reply to LRB:

    Hello,

    I am seeing a very similar issue - Chrome 70 - latest version of Sophos Central.

    The slightly concerning part for me in that the clean seems to fail as well.

     

    From Event Log:

    HitmanPro.Alert

    Mitigation   ROP

    Platform     6.1.7601/x64 v756 06_5e

    PID          171504

    Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    Description  Google Chrome 70

     Callee Type  AllocateVirtualMemory

     

    Has anybody got any further with this?