Researchers discovered vulnerabilities in the Chromium web browser that allowed malicious extensions to escape the sandbox and execute arbitrary code on the user’s system.
These vulnerabilities exploited the privileged nature of WebUI pages, which provide the user interface for Chromium’s features and have access to private APIs that can bypass the sandbox.
It has been found that malicious scripts could trigger certain actions on WebUI pages to circumvent security checks and execute arbitrary code, potentially leading to serious security consequences.
The Chromium enterprise policy system allows administrators to control Chrome settings remotely. While typically requiring Google account association, user policies can be set locally through a JSON file.
Join ANY.RUN's FREE webinar on How to Improve Threat Investigations on Oct 23 - Register Here
However, the lack of a direct editing interface presents a challenge, which explores the potential for an undocumented feature in the WebUI to modify these policies, offering a more convenient method for administrators to manage Chrome settings.
A vulnerability was discovered in the Chrome policy test page. By exploiting a private API exposed by the WebUI code and the lack of proper validation on the C++ side, researchers were able to set arbitrary user policies through Javascript code injection on chrome://policy/test, even though the PolicyTestPageEnabled policy was disabled.
This bug exists because the IsPolicyTestingEnabled() function doesn’t properly check the kPolicyTestPageEnabled policy due to a null PrefService argument.
For Chromium builds (without Google Chrome branding), the channel check always passes due to Channel::UNKNOWN being the same as Channel::DEFAULT.
A sandbox escape vulnerability is described in Chrome extensions through the chrome.devtools.inspectedWindow API.
By exploiting the fact that the inspected page and the devtools page are different processes, the extension can call inspectedWindow.reload() before the devtools page disables the API.
This injects arbitrary javascript code to the inspectedWebUI page, such as chrome://policy, while the injected code can then set arbitrary user policies to achieve sandbox escape.
It describes a Chrome extension vulnerability that exploits a race condition in chrome.devtools.inspectedWindow.reload() to achieve sandbox escape, and the original exploit injects a script into chrome://policy to set malicious policies.
A more reliable exploit utilizes the fact that debugger requests persist after a tab crash.
By triggering a debugger crash twice and then calling chrome.devtools.inspectedWindow.reload(), the exploit injects a script that navigates to chrome://settings to achieve sandbox escape.
Ading2210 discovered a high-severity vulnerability in Chrome’s DevTools. The vulnerability exploits a race condition to execute arbitrary JavaScript code on inspected pages.
Google quickly acknowledged the issue and implemented fixes to prevent the exploitation of this vulnerability. The researcher was awarded $20,000 for their discovery.
The vulnerability, assigned CVE-2024-5836 and CVE-2024-6778, highlights the importance of thorough security testing, even for older code, and the risks of shipping undocumented or insecure features.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide (PDF)
