Escaping the Chrome Sandbox Through DevTools

If you can trick someone into installing a malicious extension with arbitrary permissions, you can already run arbitrary code on every webpage they visit, including their logged in bank, social media, etc.

You think an attacker is right now thinking "Man, I know exactly how to make a lot of victims install an extension, but I can only steal their coinbase wallet and bank accounts, if only there was a way I could run calc.exe on their machine too..." who's going to pay more than $20k to upgrade from "steal all their money" to "steal all their money and run calc.exe"?

that's not entirely true: if you look at the manifest on the github repo you can see that it only requires the `tab` permission, which, when installed, will make the extension seem quite safe, since it should not have access to the content of your pages

I actually think escaping the browser is a huge leap and a frequently a primary goal for a black hat. Eg someone trying to install ransomware, or a spy targeting a specific person or org.

From outside the browser they can exploit kernel bugs to elevate their privilege; and they can probe the network to attempt to move laterally in the org.

So while I think your comment is thoughtful, its thoughtfulness made me think of agreeing with the opposite :-)

Correct me if I’m wrong, but remote code execution has the advantage of being able to access information without the user being involved at all. Sure the user needs to install and trigger the exploit, but whatever code the attacker runs doesn’t require the user to interact with certain urls. If you can launch arbitrary programs, you can probably install all sorts of nasty things that are potentially more lucrative than the victim’s bank or coinbase accounts.

It breaks the assumption that Chrome is sandboxed and something I do as a user including installing an extension will not have an impact outside of Chrome. A new process outside Chrome to call your own and do whatever you want with.

You're on Windows? Download a binary, create some WMI triggers and get executed at every boot as the same user (requires no elevation for same user, if Admin, you can get NT_AUTHORITY). If you find something to elevate to Administrator you could also patch the beginning of some rarely used syscall and then invoke it and get a thread to yourself in the kernel. These things tend to almost chain themselves sometimes. At least on Windows it feels that way.

Also the user doesn't have to navigate to a specific URL in the final form, just needs to open devtools after installing the extension.

No, "calc.exe upgrade" is definitely worth more than $20k to criminals, as it's a huge qualitative jump in capabilities. A full-privileged browser extension can only mess with things you actively visit in your browser. But give it "calc.exe privileges", and it now can mess with anything that touches your computer, with or without your involvement. Private keys on your hard drive, photos on your phone that you plugged in via USB to transfer something, IoT devices on your LAN - all are fair game. And so many, many other things.

Run calc.exe actually means steal money of everybody in their entire organization or blackmail the entire organization by encypting all the data they need to function.

If compromising a single machine of a user already compromises your entire orgs IT, you’re doing something wrong, right? Shouldn’t a normal user lack privileges to do this much damage to the network?

Everybody is doing something wrong.