←back to thread

Escaping the Chrome Sandbox Through DevTools

(ading.dev)
406 points vk6 | 2 comments | 17 Oct 24 05:55 UTC | HN request time: 0.001s | source
Show context
Etheryte ◴[17 Oct 24 07:57 UTC] No.41867389[source]
Given the severity, I can't help but feel that this is underpaid at the scale Google is at. Chrome is so ubiquitous and vulnerabilities like these could hit hard. Last thing they need to do is to send the signal that it's better to sell these on the black market.
replies(9): >>41867499 #>>41867548 #>>41867653 #>>41867666 #>>41867873 #>>41868146 #>>41868628 #>>41868995 #>>41869073 #
TheDong ◴[17 Oct 24 08:18 UTC] No.41867499[source]
If you can trick someone into installing a malicious extension with arbitrary permissions, you can already run arbitrary code on every webpage they visit, including their logged in bank, social media, etc.

You think an attacker is right now thinking "Man, I know exactly how to make a lot of victims install an extension, but I can only steal their coinbase wallet and bank accounts, if only there was a way I could run calc.exe on their machine too..." who's going to pay more than $20k to upgrade from "steal all their money" to "steal all their money and run calc.exe"?

replies(5): >>41867676 #>>41867738 #>>41867770 #>>41868097 #>>41868626 #
1. webXL ◴[17 Oct 24 09:10 UTC] No.41867770[source]
Correct me if I’m wrong, but remote code execution has the advantage of being able to access information without the user being involved at all. Sure the user needs to install and trigger the exploit, but whatever code the attacker runs doesn’t require the user to interact with certain urls. If you can launch arbitrary programs, you can probably install all sorts of nasty things that are potentially more lucrative than the victim’s bank or coinbase accounts.
replies(1): >>41867843 #
2. therein ◴[17 Oct 24 09:26 UTC] No.41867843[source]
It breaks the assumption that Chrome is sandboxed and something I do as a user including installing an extension will not have an impact outside of Chrome. A new process outside Chrome to call your own and do whatever you want with.

You're on Windows? Download a binary, create some WMI triggers and get executed at every boot as the same user (requires no elevation for same user, if Admin, you can get NT_AUTHORITY). If you find something to elevate to Administrator you could also patch the beginning of some rarely used syscall and then invoke it and get a thread to yourself in the kernel. These things tend to almost chain themselves sometimes. At least on Windows it feels that way.

Also the user doesn't have to navigate to a specific URL in the final form, just needs to open devtools after installing the extension.