This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Excessive ROP Exploits in Chrome

Anyone getting excessive ROP Exploits in Chrome?  Just in the past hour I've gotten 6 pop-ups about it and then another from Outlook (just opening a calendar item).

 

I am running the beta so it could be related to that.

 

Core Agent: 2.2.0 Beta

Endpoint Advanced: 10.8.3 Beta

Sophos Intercept X: 2.0.8

Google Chrome: 70.0.3538.77 (64-bit)

OS: Windows 7 Professional SP1 (64-bit)



This thread was automatically locked due to age.
Parents
  • Hi Breakingcustom,

    Can you please confirm the Sophos Intercept X version? and if you are still seeing the same issue as mentioned in the below advisory for both the chrome and the office applications.

    ROP Exploit - Chrome Advisory - If you are seeing the ROP detections when streaming media from websites.

    ROP Exploit - Office 2013 - This is only seen with Intercept X 2.0.9 (Which was rolled back).

    In case if your issue is different from the above advisory, please follow this KBA and it would require a support ticket to be opened to investigate it further.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Wouldn't be applicable to the Chrome Advisory since I'm running v70.  I'm also running 2.0.8 for InterceptX.

     

    This is the output from one of the errors in Hitman:

     

    Mitigation ROP

    Platform 6.1.7601/x64 v756 06_3c
    PID 17860
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 70

    Callee Type AllocateVirtualMemory
    0x000004E02A784000 (503808 bytes)

    Branch Trace Opcode To
    ---------------------------------------- -------- ----------------------------------------
    0x000007FEA40737A0 chrome_child.dll RET 0x000007FEA4087C4B chrome_child.dll

    0x000007FEA7D45566 chrome_child.dll RET 0x000007FEA4073798 chrome_child.dll

    0x000007FEA3FE6515 chrome_child.dll RET 0x000007FEA4073788 chrome_child.dll

    0x000007FEA40737A0 chrome_child.dll RET 0x000007FEA4087C36 chrome_child.dll

    0x000007FEA7D45566 chrome_child.dll RET 0x000007FEA4073798 chrome_child.dll

    0x000007FEA3FE6515 chrome_child.dll RET 0x000007FEA4073788 chrome_child.dll

    0x000007FEA40737A0 chrome_child.dll RET 0x000007FEA4087BBF chrome_child.dll

    0x000007FEA7D45566 chrome_child.dll RET 0x000007FEA4073798 chrome_child.dll

    0x000007FEA3FE6515 chrome_child.dll RET 0x000007FEA4073788 chrome_child.dll

    RtlAcquireSRWLockExclusive +0x25 RET* 0x000000013FB3BD51 chrome.exe
    0x0000000076FCB945 ntdll.dll
    4989d8 MOV R8, RBX
    4989f9 MOV R9, RDI
    e8a46df9ff CALL 0x13fad2b00
    4c89f1 MOV RCX, R14
    4889f2 MOV RDX, RSI
    e809fbffff CALL 0x13fb3b870
    488b442458 MOV RAX, [RSP+0x58]
    4883f810 CMP RAX, 0x10
    7236 JB 0x13fb3bda8
    488b4c2440 MOV RCX, [RSP+0x40]
    488d5001 LEA RDX, [RAX+0x1]
    4881fa00100000 CMP RDX, 0x1000
    721f JB 0x13fb3bda3
    488b59f8 MOV RBX, [RCX-0x8]
    4883c1f8 ADD RCX, -0x8
    4829d9 SUB RCX, RBX
    (8138B6F283429F81)


    WaitForMultipleObjects +0xdf ~ RET* 0x000000013FB0242B chrome.exe
    0x0000000076EA06EF kernel32.dll
    0b00 OR EAX, [RAX]
    4889442460 MOV [RSP+0x60], RAX
    48c74424680b000000 MOV QWORD [RSP+0x68], 0xb
    48837e380f CMP QWORD [RSI+0x38], 0xf
    4c89e0 MOV RAX, R12
    7604 JBE 0x13fb02449
    488b4620 MOV RAX, [RSI+0x20]
    4889442450 MOV [RSP+0x50], RAX
    488b4630 MOV RAX, [RSI+0x30]
    4889442458 MOV [RSP+0x58], RAX
    4531c0 XOR R8D, R8D
    488d4c2450 LEA RCX, [RSP+0x50]
    488d542460 LEA RDX, [RSP+0x60]
    e8d776fcff CALL 0x13fac9b40
    84c0 TEST AL, AL
    (4F8A19382F7C5869)


    GetCurrentProcess +0x96 ~ RET WaitForMultipleObjects +0xb0
    0x000007FEFCEA1486 KernelBase.dll 0x0000000076EA06C0 kernel32.dll

    NtWaitForMultipleObjects +0xa ~ RET GetCurrentProcess +0x40
    0x0000000077019E3A ntdll.dll 0x000007FEFCEA1430 KernelBase.dll

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 000007FEFCEA1945 KernelBase.dll VirtualAlloc +0x45

    2 000007FEA581E23D chrome_child.dll
    4885c0 TEST RAX, RAX
    0f95c0 SETNZ AL
    4883c428 ADD RSP, 0x28
    c3 RET

    3 000007FEA408783C chrome_child.dll
    4 000007FEA4087C10 chrome_child.dll
    5 000007FEA4087B20 chrome_child.dll
    6 000007FEA4087897 chrome_child.dll
    7 000007FEA431DA51 chrome_child.dll
    8 000007FEA431D768 chrome_child.dll
    9 000007FEA431D661 chrome_child.dll
    10 000007FEA562A6D2 chrome_child.dll

    Code Injection
    0000000000060000-0000000000061000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7524]
    000000000007B000-000000000007C000 4KB
    0000000077019000-000000007701A000 4KB
    000000007701A000-000000007701B000 4KB
    000000013FBE8000-000000013FBE9000 4KB
    000000013FBE5000-000000013FBE6000 4KB
    0000000000080000-0000000000081000 4KB
    000000013FBE1000-000000013FBE2000 4KB
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7524]
    2 C:\Windows\explorer.exe [7328]
    3 C:\Windows\System32\userinit.exe [8076]

    Process Trace
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [17860]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,13093351916193068832,17641892205845941666,131072 --service-pipe-token=2819091101584101300 --lang=en-US --enable-offline-auto-reload --enable-offline-aut
    2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7524]
    3 C:\Windows\explorer.exe [7328]
    4 C:\Windows\System32\userinit.exe [8076]

    Thumbprint
    200b474c46ad54be426ea4365fdc9bf06e9c2392664e3949b3fe460d4ebc8080

  • I just checked and most of these are also occurring on Chrome 70. 

  • Hello,

    I am seeing a very similar issue - Chrome 70 - latest version of Sophos Central.

    The slightly concerning part for me in that the clean seems to fail as well.

     

    From Event Log:

    HitmanPro.Alert

    Mitigation   ROP

    Platform     6.1.7601/x64 v756 06_5e

    PID          171504

    Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    Description  Google Chrome 70

     Callee Type  AllocateVirtualMemory

     

    Has anybody got any further with this?

  • Mitigation   ROP
    
    Platform     10.0.16299/x64 v756 06_8e
    PID          71048
    Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description  Google Chrome 70
    
    Callee Type  AllocateVirtualMemory
                 0x0000226695204000 (503808 bytes)
    
    Branch Trace                              Opcode  To                                      
    ---------------------------------------- -------- ----------------------------------------
    0x00007FFF277B37A0 chrome_child.dll          RET  0x00007FFF277C7C4B chrome_child.dll ^0001
    
    0x00007FFF2B485566 chrome_child.dll          RET  0x00007FFF277B3798 chrome_child.dll ^0006
    
    0x00007FFF27726515 chrome_child.dll          RET  0x00007FFF277B3788 chrome_child.dll ^0005
    
    0x00007FFF277B37A0 chrome_child.dll          RET  0x00007FFF277C7C36 chrome_child.dll ^0002
    
    0x00007FFF2B485566 chrome_child.dll          RET  0x00007FFF277B3798 chrome_child.dll ^0002
    
    0x00007FFF27726515 chrome_child.dll          RET  0x00007FFF277B3788 chrome_child.dll ^0007
    
    0x00007FFF277B37A0 chrome_child.dll          RET  0x00007FFF277C7BBF chrome_child.dll ^0001
    
    0x00007FFF2B485566 chrome_child.dll          RET  0x00007FFF277B3798 chrome_child.dll ^0002
    
    0x00007FFF27726515 chrome_child.dll          RET  0x00007FFF277B3788 chrome_child.dll ^0020
    
    RtlAcquireSRWLockExclusive +0x1e             RET  0x00007FFF277C7B79 chrome_child.dll ^00E9
    0x00007FFF9D4B613E ntdll.dll                                                              
    
    RtlReleaseSRWLockExclusive +0xc              RET  0x00007FFF277C7B20 chrome_child.dll ^010F
    0x00007FFF9D4A88FC ntdll.dll                                                              
    
    0x00007FFF277C7854 chrome_child.dll          RET  0x00007FFF277C7C10 chrome_child.dll ^0002
    
    0x00007FFF2B485566 chrome_child.dll          RET  0x00007FFF277C784B chrome_child.dll ^0002
    
    0x00007FFF28F5E247 chrome_child.dll          RET  0x00007FFF277C783C chrome_child.dll ^0002
    
    VirtualAlloc +0x5c                           RET  0x00007FFF28F5E23D chrome_child.dll ^0001
    0x00007FFF99C70EEC KernelBase.dll                                                         
    
    +0x2464a                                     RET  VirtualAlloc +0x4b ^0003                
    0x00007FFF8BAD464A hmpalert.dll                   0x00007FFF99C70EDB KernelBase.dll       
    
    +0xb9116                                     RET  +0x24637 ^0003                          
    0x00007FFF8BB69116 hmpalert.dll                   0x00007FFF8BAD4637 hmpalert.dll         
    
    +0x29061                                     RET  +0x24625 ^0001                          
    0x00007FFF8BAD9061 hmpalert.dll                   0x00007FFF8BAD4625 hmpalert.dll         
    
    +0xb9116                                     RET  +0x2905c ^0002                          
    0x00007FFF8BB69116 hmpalert.dll                   0x00007FFF8BAD905C hmpalert.dll         
    
    RtlLeaveCriticalSection +0x82              ~ RET* RtlEnterCriticalSection() ^08AD         
    0x00007FFF9D4B6112 ntdll.dll                      0x00007FFF9D4B7C00 ntdll.dll            
                        4883ec28                 SUB          RSP, 0x28
                        65488b042530000000       MOV          RAX, [GS:0x30]
                        f00fba710800             LOCK BTR     DWORD [RCX+0x8], 0x0
                        488b4048                 MOV          RAX, [RAX+0x48]
                        7312                     JAE          0x7fff9d4b7c2b
                        48894110                 MOV          [RCX+0x10], RAX
                        33c0                     XOR          EAX, EAX
                        c7410c01000000           MOV          DWORD [RCX+0xc], 0x1
                        4883c428                 ADD          RSP, 0x28
                        c3                       RET         
                                             (28E0FEC02ACC3000)
    
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFF99C70EDB KernelBase.dll           VirtualAlloc +0x4b
    
    2  00007FFF28F5E23D chrome_child.dll        
                        4885c0                   TEST         RAX, RAX
                        0f95c0                   SETNZ        AL
                        4883c428                 ADD          RSP, 0x28
                        c3                       RET         
    
    3  00007FFF277C783C chrome_child.dll        
    4  00007FFF277C7C10 chrome_child.dll        
    5  00007FFF277C7B20 chrome_child.dll        
    6  00007FFF277C7897 chrome_child.dll        
    7  00007FFF289DC78D chrome_child.dll        
    8  00007FFF27EFCB89 chrome_child.dll        
    9  00007FFF27EFAF49 chrome_child.dll        
    10 00007FFF289DEC14 chrome_child.dll        
    
    Code Injection
    00000141E6962000-00000141E6963000    4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [62904]
    00007FFF9D510000-00007FFF9D511000    4KB
    00007FFF9D512000-00007FFF9D513000    4KB
    1  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [62904]
    2  C:\Windows\explorer.exe [8624]
    3  C:\Windows\System32\userinit.exe [8648]
    
    Process Trace
    1  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [71048]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1356,4168132881274442054,6824804507927348123,131072 --service-pipe-token=8789830783730237914 --lang=en-GB --enable-offline-auto-reload --enable-offline-auto-
    2  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [62904]
    3  C:\Windows\explorer.exe [8624]
    4  C:\Windows\System32\userinit.exe [8648]
    
    Thumbprint
    5d1a04c3a6fd17c4b9f189b886111898a3cadd4162b3ce9e62fef99d3cf338cc
  • Hi Breakingcustom,

    This might require a support case to investigate further to confirm if this is the same issue as reported in the Chrome advisory or a separate issue. Please let me know if you already have a ticket open with our support. 

    Meanwhile, I will also try to contact the concerned team to confirm the same.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply Children
No Data