Excessive ROP Exploits in Chrome

Anyone getting excessive ROP Exploits in Chrome?  Just in the past hour I've gotten 6 pop-ups about it and then another from Outlook (just opening a calendar item).

 

I am running the beta so it could be related to that.

 

Core Agent: 2.2.0 Beta

Endpoint Advanced: 10.8.3 Beta

Sophos Intercept X: 2.0.8

Google Chrome: 70.0.3538.77 (64-bit)

OS: Windows 7 Professional SP1 (64-bit)

  • Getting ROP as well.. different users, PC types etc - always seems to be for Chrome - Is there plan to fix this?

     

  • Hi Breakingcustom,

    Can you please confirm the Sophos Intercept X version? and if you are still seeing the same issue as mentioned in the below advisory for both the chrome and the office applications.

    ROP Exploit - Chrome Advisory - If you are seeing the ROP detections when streaming media from websites.

    ROP Exploit - Office 2013 - This is only seen with Intercept X 2.0.9 (Which was rolled back).

    In case if your issue is different from the above advisory, please follow this KBA and it would require a support ticket to be opened to investigate it further.

  • In reply to Gowtham Mani:

    Thanks Gowtham. 

    It's probably related to: ROP Exploit - Chrome Advisory

  • In reply to Gowtham Mani:

    Wouldn't be applicable to the Chrome Advisory since I'm running v70.  I'm also running 2.0.8 for InterceptX.

     

    This is the output from one of the errors in Hitman:

     

    Mitigation ROP

    Platform 6.1.7601/x64 v756 06_3c
    PID 17860
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 70

    Callee Type AllocateVirtualMemory
    0x000004E02A784000 (503808 bytes)

    Branch Trace Opcode To
    ---------------------------------------- -------- ----------------------------------------
    0x000007FEA40737A0 chrome_child.dll RET 0x000007FEA4087C4B chrome_child.dll

    0x000007FEA7D45566 chrome_child.dll RET 0x000007FEA4073798 chrome_child.dll

    0x000007FEA3FE6515 chrome_child.dll RET 0x000007FEA4073788 chrome_child.dll

    0x000007FEA40737A0 chrome_child.dll RET 0x000007FEA4087C36 chrome_child.dll

    0x000007FEA7D45566 chrome_child.dll RET 0x000007FEA4073798 chrome_child.dll

    0x000007FEA3FE6515 chrome_child.dll RET 0x000007FEA4073788 chrome_child.dll

    0x000007FEA40737A0 chrome_child.dll RET 0x000007FEA4087BBF chrome_child.dll

    0x000007FEA7D45566 chrome_child.dll RET 0x000007FEA4073798 chrome_child.dll

    0x000007FEA3FE6515 chrome_child.dll RET 0x000007FEA4073788 chrome_child.dll

    RtlAcquireSRWLockExclusive +0x25 RET* 0x000000013FB3BD51 chrome.exe
    0x0000000076FCB945 ntdll.dll
    4989d8 MOV R8, RBX
    4989f9 MOV R9, RDI
    e8a46df9ff CALL 0x13fad2b00
    4c89f1 MOV RCX, R14
    4889f2 MOV RDX, RSI
    e809fbffff CALL 0x13fb3b870
    488b442458 MOV RAX, [RSP+0x58]
    4883f810 CMP RAX, 0x10
    7236 JB 0x13fb3bda8
    488b4c2440 MOV RCX, [RSP+0x40]
    488d5001 LEA RDX, [RAX+0x1]
    4881fa00100000 CMP RDX, 0x1000
    721f JB 0x13fb3bda3
    488b59f8 MOV RBX, [RCX-0x8]
    4883c1f8 ADD RCX, -0x8
    4829d9 SUB RCX, RBX
    (8138B6F283429F81)


    WaitForMultipleObjects +0xdf ~ RET* 0x000000013FB0242B chrome.exe
    0x0000000076EA06EF kernel32.dll
    0b00 OR EAX, [RAX]
    4889442460 MOV [RSP+0x60], RAX
    48c74424680b000000 MOV QWORD [RSP+0x68], 0xb
    48837e380f CMP QWORD [RSI+0x38], 0xf
    4c89e0 MOV RAX, R12
    7604 JBE 0x13fb02449
    488b4620 MOV RAX, [RSI+0x20]
    4889442450 MOV [RSP+0x50], RAX
    488b4630 MOV RAX, [RSI+0x30]
    4889442458 MOV [RSP+0x58], RAX
    4531c0 XOR R8D, R8D
    488d4c2450 LEA RCX, [RSP+0x50]
    488d542460 LEA RDX, [RSP+0x60]
    e8d776fcff CALL 0x13fac9b40
    84c0 TEST AL, AL
    (4F8A19382F7C5869)


    GetCurrentProcess +0x96 ~ RET WaitForMultipleObjects +0xb0
    0x000007FEFCEA1486 KernelBase.dll 0x0000000076EA06C0 kernel32.dll

    NtWaitForMultipleObjects +0xa ~ RET GetCurrentProcess +0x40
    0x0000000077019E3A ntdll.dll 0x000007FEFCEA1430 KernelBase.dll

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 000007FEFCEA1945 KernelBase.dll VirtualAlloc +0x45

    2 000007FEA581E23D chrome_child.dll
    4885c0 TEST RAX, RAX
    0f95c0 SETNZ AL
    4883c428 ADD RSP, 0x28
    c3 RET

    3 000007FEA408783C chrome_child.dll
    4 000007FEA4087C10 chrome_child.dll
    5 000007FEA4087B20 chrome_child.dll
    6 000007FEA4087897 chrome_child.dll
    7 000007FEA431DA51 chrome_child.dll
    8 000007FEA431D768 chrome_child.dll
    9 000007FEA431D661 chrome_child.dll
    10 000007FEA562A6D2 chrome_child.dll

    Code Injection
    0000000000060000-0000000000061000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7524]
    000000000007B000-000000000007C000 4KB
    0000000077019000-000000007701A000 4KB
    000000007701A000-000000007701B000 4KB
    000000013FBE8000-000000013FBE9000 4KB
    000000013FBE5000-000000013FBE6000 4KB
    0000000000080000-0000000000081000 4KB
    000000013FBE1000-000000013FBE2000 4KB
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7524]
    2 C:\Windows\explorer.exe [7328]
    3 C:\Windows\System32\userinit.exe [8076]

    Process Trace
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [17860]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,13093351916193068832,17641892205845941666,131072 --service-pipe-token=2819091101584101300 --lang=en-US --enable-offline-auto-reload --enable-offline-aut
    2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7524]
    3 C:\Windows\explorer.exe [7328]
    4 C:\Windows\System32\userinit.exe [8076]

    Thumbprint
    200b474c46ad54be426ea4365fdc9bf06e9c2392664e3949b3fe460d4ebc8080

  • In reply to Breakingcustom:

    I just checked and most of these are also occurring on Chrome 70. 

  • In reply to LRB:

    Hello,

    I am seeing a very similar issue - Chrome 70 - latest version of Sophos Central.

    The slightly concerning part for me in that the clean seems to fail as well.

     

    From Event Log:

    HitmanPro.Alert

    Mitigation   ROP

    Platform     6.1.7601/x64 v756 06_5e

    PID          171504

    Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    Description  Google Chrome 70

     Callee Type  AllocateVirtualMemory

     

    Has anybody got any further with this?

  • In reply to Breakingcustom:

    Mitigation   ROP
    
    Platform     10.0.16299/x64 v756 06_8e
    PID          71048
    Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description  Google Chrome 70
    
    Callee Type  AllocateVirtualMemory
                 0x0000226695204000 (503808 bytes)
    
    Branch Trace                              Opcode  To                                      
    ---------------------------------------- -------- ----------------------------------------
    0x00007FFF277B37A0 chrome_child.dll          RET  0x00007FFF277C7C4B chrome_child.dll ^0001
    
    0x00007FFF2B485566 chrome_child.dll          RET  0x00007FFF277B3798 chrome_child.dll ^0006
    
    0x00007FFF27726515 chrome_child.dll          RET  0x00007FFF277B3788 chrome_child.dll ^0005
    
    0x00007FFF277B37A0 chrome_child.dll          RET  0x00007FFF277C7C36 chrome_child.dll ^0002
    
    0x00007FFF2B485566 chrome_child.dll          RET  0x00007FFF277B3798 chrome_child.dll ^0002
    
    0x00007FFF27726515 chrome_child.dll          RET  0x00007FFF277B3788 chrome_child.dll ^0007
    
    0x00007FFF277B37A0 chrome_child.dll          RET  0x00007FFF277C7BBF chrome_child.dll ^0001
    
    0x00007FFF2B485566 chrome_child.dll          RET  0x00007FFF277B3798 chrome_child.dll ^0002
    
    0x00007FFF27726515 chrome_child.dll          RET  0x00007FFF277B3788 chrome_child.dll ^0020
    
    RtlAcquireSRWLockExclusive +0x1e             RET  0x00007FFF277C7B79 chrome_child.dll ^00E9
    0x00007FFF9D4B613E ntdll.dll                                                              
    
    RtlReleaseSRWLockExclusive +0xc              RET  0x00007FFF277C7B20 chrome_child.dll ^010F
    0x00007FFF9D4A88FC ntdll.dll                                                              
    
    0x00007FFF277C7854 chrome_child.dll          RET  0x00007FFF277C7C10 chrome_child.dll ^0002
    
    0x00007FFF2B485566 chrome_child.dll          RET  0x00007FFF277C784B chrome_child.dll ^0002
    
    0x00007FFF28F5E247 chrome_child.dll          RET  0x00007FFF277C783C chrome_child.dll ^0002
    
    VirtualAlloc +0x5c                           RET  0x00007FFF28F5E23D chrome_child.dll ^0001
    0x00007FFF99C70EEC KernelBase.dll                                                         
    
    +0x2464a                                     RET  VirtualAlloc +0x4b ^0003                
    0x00007FFF8BAD464A hmpalert.dll                   0x00007FFF99C70EDB KernelBase.dll       
    
    +0xb9116                                     RET  +0x24637 ^0003                          
    0x00007FFF8BB69116 hmpalert.dll                   0x00007FFF8BAD4637 hmpalert.dll         
    
    +0x29061                                     RET  +0x24625 ^0001                          
    0x00007FFF8BAD9061 hmpalert.dll                   0x00007FFF8BAD4625 hmpalert.dll         
    
    +0xb9116                                     RET  +0x2905c ^0002                          
    0x00007FFF8BB69116 hmpalert.dll                   0x00007FFF8BAD905C hmpalert.dll         
    
    RtlLeaveCriticalSection +0x82              ~ RET* RtlEnterCriticalSection() ^08AD         
    0x00007FFF9D4B6112 ntdll.dll                      0x00007FFF9D4B7C00 ntdll.dll            
                        4883ec28                 SUB          RSP, 0x28
                        65488b042530000000       MOV          RAX, [GS:0x30]
                        f00fba710800             LOCK BTR     DWORD [RCX+0x8], 0x0
                        488b4048                 MOV          RAX, [RAX+0x48]
                        7312                     JAE          0x7fff9d4b7c2b
                        48894110                 MOV          [RCX+0x10], RAX
                        33c0                     XOR          EAX, EAX
                        c7410c01000000           MOV          DWORD [RCX+0xc], 0x1
                        4883c428                 ADD          RSP, 0x28
                        c3                       RET         
                                             (28E0FEC02ACC3000)
    
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFF99C70EDB KernelBase.dll           VirtualAlloc +0x4b
    
    2  00007FFF28F5E23D chrome_child.dll        
                        4885c0                   TEST         RAX, RAX
                        0f95c0                   SETNZ        AL
                        4883c428                 ADD          RSP, 0x28
                        c3                       RET         
    
    3  00007FFF277C783C chrome_child.dll        
    4  00007FFF277C7C10 chrome_child.dll        
    5  00007FFF277C7B20 chrome_child.dll        
    6  00007FFF277C7897 chrome_child.dll        
    7  00007FFF289DC78D chrome_child.dll        
    8  00007FFF27EFCB89 chrome_child.dll        
    9  00007FFF27EFAF49 chrome_child.dll        
    10 00007FFF289DEC14 chrome_child.dll        
    
    Code Injection
    00000141E6962000-00000141E6963000    4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [62904]
    00007FFF9D510000-00007FFF9D511000    4KB
    00007FFF9D512000-00007FFF9D513000    4KB
    1  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [62904]
    2  C:\Windows\explorer.exe [8624]
    3  C:\Windows\System32\userinit.exe [8648]
    
    Process Trace
    1  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [71048]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1356,4168132881274442054,6824804507927348123,131072 --service-pipe-token=8789830783730237914 --lang=en-GB --enable-offline-auto-reload --enable-offline-auto-
    2  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [62904]
    3  C:\Windows\explorer.exe [8624]
    4  C:\Windows\System32\userinit.exe [8648]
    
    Thumbprint
    5d1a04c3a6fd17c4b9f189b886111898a3cadd4162b3ce9e62fef99d3cf338cc
  • In reply to Breakingcustom:

    Hi Breakingcustom,

    This might require a support case to investigate further to confirm if this is the same issue as reported in the Chrome advisory or a separate issue. Please let me know if you already have a ticket open with our support. 

    Meanwhile, I will also try to contact the concerned team to confirm the same.

  • In reply to Breakingcustom:

    I'm seeing very similar issue. The advisory speaks of Chrome 69 and widevinecdm.dll, but this seems different since it occurs on Chrome 70 and the widevine dll is not involved. Only one "detection" so far. Would like to know from Sophos if this does or does not relate to the above mentioned advisory.


    Event details
    Detection type ROP

    Application Google Chrome
    Path C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    Version 70

    PID 10896

    Detection ID 09a27f714204402cde8abd68319f108f92931d225bc923c085d83176d04c80bf

    Hide Raw Data...
    Mitigation ROP

    Platform 10.0.17763/x64 v756 06_8e
    PID 10896
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 70

    Callee Type AllocateVirtualMemory
    0x00002DED10304000 (503808 bytes)

    Branch Trace Opcode To
    ---------------------------------------- -------- ----------------------------------------
    0x00007FF809FF37A0 chrome_child.dll RET 0x00007FF80A007C4B chrome_child.dll ^000E

    0x00007FF80DCC3866 chrome_child.dll RET 0x00007FF809FF3798 chrome_child.dll ^000C

    0x00007FF809F66515 chrome_child.dll RET 0x00007FF809FF3788 chrome_child.dll ^0038

    0x00007FF809FF37A0 chrome_child.dll ~ RET* GetQueuedCompletionStatus() ^0031
    0x00007FF879D1CB40 KernelBase.dll
    48895c2408 MOV [RSP+0x8], RBX
    57 PUSH RDI
    4883ec50 SUB RSP, 0x50
    8b842480000000 MOV EAX, [RSP+0x80]
    498bd9 MOV RBX, R9
    4d8bd0 MOV R10, R8
    488bfa MOV RDI, RDX
    4c8bd9 MOV R11, RCX
    83f8ff CMP EAX, -0x1
    0f848e000000 JZ 0x7ff879d1cbf4
    4869c8f0d8ffff IMUL RCX, RAX, 0xffffd8f0
    488d442430 LEA RAX, [RSP+0x30]
    48894c2430 MOV [RSP+0x30], RCX
    4c8d4c2440 LEA R9, [RSP+0x40]
    (1F941325E2908E7C)


    _ovly_debug_event() RET 0x00007FF809FB268E chrome_child.dll ^0080
    0x00007FF80A803AE0 chrome_child.dll

    0x00007FF809FB1B41 chrome_child.dll RET 0x00007FF809FB2626 chrome_child.dll ^0005

    0x00007FF809FB1E6B chrome_child.dll RET 0x00007FF809FB1AEE chrome_child.dll ^0104

    0x00007FF809FB1BEB chrome_child.dll RET 0x00007FF809FB1ADD chrome_child.dll ^0006

    0x00007FF80DCC3866 chrome_child.dll RET 0x00007FF809FB1BDF chrome_child.dll ^002B

    0x00007FF80BB5014B chrome_child.dll RET 0x00007FF809FB1B8C chrome_child.dll ^019B

    0x00007FF809FB1C9A chrome_child.dll RET 0x00007FF809FB1B74 chrome_child.dll ^0009

    0x00007FF809F93D96 chrome_child.dll RET 0x00007FF809FB1C78 chrome_child.dll ^001F

    BaseDumpAppcompatCacheWorker +0x1f5 RET 0x00007FF809F93D74 chrome_child.dll ^013F
    0x00007FF87CD82EF5 kernel32.dll

    0x00007FF809FB199B chrome_child.dll RET 0x00007FF809FB2605 chrome_child.dll ^0008

    0x00007FF80DCC3866 chrome_child.dll RET 0x00007FF809FB198D chrome_child.dll ^0027

    0x00007FF809FB1A42 chrome_child.dll RET 0x00007FF809FB1851 chrome_child.dll ^0007

    0x00007FF80DCC3866 chrome_child.dll RET 0x00007FF809FB1A36 chrome_child.dll ^017B

    0x00007FF809FB2889 chrome_child.dll RET 0x00007FF809FB25ED chrome_child.dll ^0002

    0x00007FF80DCC3866 chrome_child.dll RET 0x00007FF809FB2880 chrome_child.dll ^0024

    GetQueuedCompletionStatus +0x8f RET 0x00007FF809FB275E chrome_child.dll ^0008
    0x00007FF879D1CBCF KernelBase.dll

    RtlRestoreLastWin32Error +0x44 RET GetQueuedCompletionStatus +0xab ^0001
    0x00007FF87CFDEDA4 ntdll.dll 0x00007FF879D1CBEB KernelBase.dll

    RtlRetrieveNtUserPfn +0x124 RET RtlRestoreLastWin32Error +0x40 ^0048
    0x00007FF87D00EE04 ntdll.dll 0x00007FF87CFDEDA0 ntdll.dll

    NtRemoveIoCompletion +0x14 RET GetQueuedCompletionStatus +0x53 ^000A
    0x00007FF87D01E6B4 ntdll.dll 0x00007FF879D1CB93 KernelBase.dll

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FF879D4CB28 KernelBase.dll VirtualAlloc +0x48

    2 00007FF80B79E31D chrome_child.dll
    4885c0 TEST RAX, RAX
    0f95c0 SETNZ AL
    4883c428 ADD RSP, 0x28
    c3 RET

    3 00007FF80A00783C chrome_child.dll
    4 00007FF80A007C10 chrome_child.dll
    5 00007FF80A48E43F chrome_child.dll
    6 00007FF80A48D4F4 chrome_child.dll
    7 00007FF80A48C9AE chrome_child.dll
    8 00007FF80A48C820 chrome_child.dll
    9 00007FF80A48BFF3 chrome_child.dll
    10 00007FF80B10A1C2 chrome_child.dll

    Code Injection
    000001E9F1129000-000001E9F112A000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [18544]
    00007FF87D01F000-00007FF87D020000 4KB
    00007FF87D01E000-00007FF87D01F000 4KB
    00007FF87D020000-00007FF87D021000 4KB
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [18544]
    2 C:\Windows\explorer.exe [82960]
    3 C:\Windows\System32\userinit.exe [111520]
    4 C:\Windows\System32\winlogon.exe [81328]
    C:\Windows\System32\WinLogon.exe -SpecialSession
    5 C:\Windows\System32\smss.exe [49640]
    \SystemRoot\System32\smss.exe 000000c0 00000084 C:\Windows\System32\WinLogon.exe -SpecialSession

    Process Trace
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10896]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,14121763138094698272,1055056246258607190,131072 --service-pipe-token=16648568633321249788 --lang=en-US --enable-offline-auto-reload --enable-offline-aut
    2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [18544]
    3 C:\Windows\explorer.exe [82960]
    4 C:\Windows\System32\userinit.exe [111520]
    5 C:\Windows\System32\winlogon.exe [81328]
    C:\Windows\System32\WinLogon.exe -SpecialSession
    6 C:\Windows\System32\smss.exe [49640]
    \SystemRoot\System32\smss.exe 000000c0 00000084 C:\Windows\System32\WinLogon.exe -SpecialSession

    Thumbprint
    09a27f714204402cde8abd68319f108f92931d225bc923c085d83176d04c80bf