Escaping the Chrome Sandbox Through DevTools
Two vulnerabilities in Chromium allow malicious extensions to escape the sandbox and execute commands on users' PCs. The author received a $20,000 reward for reporting these significant security risks.
Read original article
This blog post discusses the discovery of two vulnerabilities, CVE-2024-6778 and CVE-2024-5836, in the Chromium web browser that allow a malicious Chrome extension to escape the browser's sandbox and execute shell commands on a user's PC. The author received a $20,000 reward from Google for reporting these vulnerabilities. The Chromium sandbox is designed to isolate untrusted code, limiting its access to the system. However, the author identified a flaw in the WebUI mechanism, specifically in the chrome://policy/test page, which was intended for testing enterprise policies. By exploiting an undocumented feature, the author was able to set arbitrary user policies without proper validation, effectively bypassing the sandbox. This vulnerability could allow an attacker to execute commands that could lead to full control over the operating system, rather than just stealing sensitive information. The author explains the technical details of how the exploit works, including the role of private APIs and the lack of necessary checks in the code. The findings highlight significant security risks associated with the Chrome browser's handling of enterprise policies and the potential for malicious extensions to exploit these weaknesses.
- Two critical vulnerabilities in Chromium allow sandbox escape via malicious extensions.
- The author received a $20,000 reward from Google for reporting the vulnerabilities.
- The exploit involves bypassing validation on the chrome://policy/test page.
- Attackers could execute arbitrary commands, compromising the entire operating system.
- The findings emphasize the need for improved security measures in Chromium's policy handling.
Related
Universal Code Execution by Chaining Messages in Browser Extensions
Researchers demonstrate universal code execution in browser extensions by exploiting messaging APIs, bypassing security measures. Vulnerabilities in extensions can compromise millions of users, allowing access to sensitive data and enabling arbitrary command execution.
Chrome update fixes 38 security issues, including active vulnerability
Google released a Chrome update addressing 38 vulnerabilities, including a critical 0-day exploit (CVE-2024-7971). Users are urged to update immediately to mitigate risks across all platforms.
Google tags a tenth Chrome zero-day as exploited this year
Google patched its tenth zero-day vulnerability in Chrome for 2024, allowing remote exploitation via crafted HTML. Users should update their browsers to the latest version for protection.
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.
Jailbreak Your Enemies with a Link: Remote Execution on iOS
The Trident exploit chain features three zero-day vulnerabilities in iOS, enabling remote jailbreaks and Pegasus spyware installation via hyperlinks. Despite being patched in 2016, the code remains publicly accessible.
16 commentsIs there some validation logic or something on this policy that the URL must be passed to the "alternative browser" somewhere in the AlternativeBrowserParameters?
Very impressive!
Well deserved reward!
I'm always impressed by the simplicity of tricks like "Press F12 to try again", this is just so naughty :)
The author of this post had to bypass much more challenging obstacles. This is great work!
Super clever sleuthing
... and adding chrome://policy with half baked JSON edit support.
Related
Universal Code Execution by Chaining Messages in Browser Extensions
Researchers demonstrate universal code execution in browser extensions by exploiting messaging APIs, bypassing security measures. Vulnerabilities in extensions can compromise millions of users, allowing access to sensitive data and enabling arbitrary command execution.
Chrome update fixes 38 security issues, including active vulnerability
Google released a Chrome update addressing 38 vulnerabilities, including a critical 0-day exploit (CVE-2024-7971). Users are urged to update immediately to mitigate risks across all platforms.
Google tags a tenth Chrome zero-day as exploited this year
Google patched its tenth zero-day vulnerability in Chrome for 2024, allowing remote exploitation via crafted HTML. Users should update their browsers to the latest version for protection.
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.
Jailbreak Your Enemies with a Link: Remote Execution on iOS
The Trident exploit chain features three zero-day vulnerabilities in iOS, enabling remote jailbreaks and Pegasus spyware installation via hyperlinks. Despite being patched in 2016, the code remains publicly accessible.