asnine/chrome-sbx-db

A Collection of Chrome Sandbox Escape POCs/Exploits for learning

Case Study of Chrome Sandbox Escape

A Collection of Chrome Sandbox Escape POCs/Exploits for learning.

Permission Allowed Issues

Issue	Type	Summary	Label	Reporter	Links
crbug-984521	MojoJS POC	UAF in IndexedDB IndexedDBConnection::Close	M-76	Mark Brand	p0-1912
crbug-981873	MojoJS POC	UAF in IndexedDB ~LevelDBIteratorImpl	M-76	Mark Brand	p0-1904
crbug-977462	MojoJS POC	UAF in OfflinePage	CVE-2019-5850, M-75, reward-10000	Brendon Tiszka	-
crbug-972239	MojoJS POC	UAF in IndexedDB IndexedDBTransaction::Abort	M-76	Mark Brand	-
crbug-971702	HTML POC	UAF in chrome!content::Portal::Activate	M-76, reward-8000	Pawel Wylecial	-
crbug-966784	MojoJS POC	UAF in IndexedDB AbortAllTransactions	M-76, reward-5000	cdsrc2016	-
crbug-966762	MojoJS POC	UAF in IndexedDB RequestComplete 2	M-76, reward-10500	cdsrc2016	-
crbug-956597	HTML POC	UAF in ServiceWorkerPaymentInstrument	M-75, M-76, reward-5000	leecraso, Guang Gong	-
crbug-960484	MojoJS POC	UAF in SerialChooserController	M-75	jonorman	-
crbug-948172	Full Chain Exploit	PDF plugin is allowed to use Pepper Socket API	M-75	Sergey Glazunov	Full Chain Exploit, crbug-950005, p0-1813, p0-1817
crbug-945370	HTML POC	UAF in IndexedDB DeleteRequest	M-75, reward-8000	cdsrc2016	-
crbug-942898	HTML POC	UAF in IndexedDB RequestComplete	M-74, reward-10000	cdsrc2016	-
crbug-941746	Full Chain WriteUp	UAF in IndexedDBDatabase (Pwnium 2019)	CVE-2019-5826, M-73	Gengming Liu	BlackhatUSA2019
crbug-941008	MojoJS POC	UAF in FileChooserImpl	CVE-2019-5809, M-73, M-74, M-75	Mark Brand	p0-1803
crbug-925864	MojoJS POC	UAF in FileSystemOperationRunner	CVE-2019-5788, M-73	Mark Brand	p0-1767
crbug-922677	Full Chain Exploit	UAF in FileWriterImpl	M-71	Mark Brand	Full Chain Exploit, p0-1755, P0 Blog
crbug-921581	MojoJS POC	UAF in WebMIDI	CVE-2019-5789, M-73	Mark Brand	p0-1754
crbug-916523	MojoJS POC	Double Free in StoragePartitionService	CVE-2019-5797, M-73	Mark Brand	p0-1744
crbug-916080	MojoJS POC	UAF in P2PSocketDispatcherHost	M-71	Mark Brand	p0-1743
crbug-912947	MojoJS POC	UAF in PaymentRequest	M-72	Mark Brand	p0-1735
crbug-912520	MojoJS POC	UAF in MediaStream	M-72	Mark Brand	p0-1730
crbug-888926	Full Chain Exploit	UaF in Appcache (Hack2Win 2018)	CVE-2018-17462, M-69, M-70	Ned Williamson, Niklas Baumstark	POC2018, 35C3, Github, OffensiveCon2019
crbug-888366	HTML POC	UAF in WebAudio	M-70, M-71, reward-5500	cdsrc2016	-
crbug-877182	Patch POC	OOB Read/Write in Mojo DataPipe deserialization	CVE-2018-16068, M-68	Mark Brand	-
crbug-842990	Patch POC	UAF in IndexedDB Connection	CVE-2018-6127, M-66, reward-10000	Looben Yang	-
crbug-835887	Full Chain Exploit	Logic Bug in "filesystem:" Scheme URL, PDF Plugin, Extension, WebUI	M-67, M-68, reward-40633.7	Sergey Glazunov	crbug-836362, crbug-836859, crbug-836858, crbug-840857
crbug-831963	Patch POC	UAF in In-memory Cache 2	CVE-2018-6118, M-66, M-67, M-68, reward-10500	Ned Williamson	-
crbug-827492	Patch POC	UAF in In-memory Cache	CVE-2018-6086, M-66, reward-10500	Ned Williamson	-
crbug-826626	Patch POC	UAF in Blockfile Media Cache	CVE-2018-6085, M-66, reward-10000	Ned Williamson	-
crbug-794969	Patch POC	OOB Read in deserializing Mojo "Event" messages	M-65	Gal Beniamini	-
crbug-791003	Patch POC	Logic Bug in "catalog" service	CVE-2018-6055, M-65	Gal Beniamini	-
crbug-778505	Patch POC	OOB Write in QUIC	CVE-2017-15407, M-65, reward-10500	Ned Williamson	-
crbug-777728	Patch POC	Stack Overflow in QUIC	CVE-2017-15398, M-76, reward-10500	Ned Williamson	-
crbug-728887	Patch POC	UAF in IndexedDB OpenCursor	CVE-2017-5091, M-60, reward-10000	Ned Williamson	-
crbug-725032	Patch POC	UAF in IndexedDB Transactions	CVE-2017-5087, M-58, M-60, M-61, reward-10500	Ned Williamson	-
crbug-698622	HTML POC	UAF in Printing	CVE-2017-5055, M-57, M-58, reward-9337	Wadih Matar	-
crbug-664551	Full Chain Exploit	Logic Bug in Android Play Store (PWNFest 2016)	M-55	Guang Gong	Github
crbug-659489	Full Chain WriteUp	Logic Bug in Android "content:" Scheme URL, File Download (Mobile Pwn2Own 2016)	M-54	Robert Miller, Georgi Geshev	crbug-659492, WriteUp
crbug-659474	Full Chain WriteUp	Logic Bug in Android "intent:" Scheme URL, IPC (Mobile Pwn2Own 2016)	M-54	Qidan He, Gengming Liu	crbug-659477, WriteUp, CSW2017
crbug-610600	Frida Exploit	Logic Bug in PPAPI/Flash Broker	CVE-2016-1706, M-52, reward-15000	Pinkie Pie	-
crbug-595834	Full Chain Exploit	Logic Bug in GPU, WebUI, SmartScreen (Pwn2Own 2016)	-	JungHoon Lee	crbug-595844, crbug-596862, WriteUp
crbug-590284	Patch POC	UAF in RenderWidgetHostImpl	CVE-2016-1647, M-49, M-50, reward-10500	gzobqq	-
crbug-564501	Patch POC	UAF in MidiHost	M-48	Oliver Chang	-
crbug-558589	Webserver POC	UAF in AppCacheUpdateJob	CVE-2015-6765, M-47, M-48, reward-10000	gzobqq	-
crbug-554946	Full Chain WriteUp	Logic Bug in Android Play Store (Mobile Pwn2Own 2015)	CVE-2015-6764, M-47, reward-7500	Guang Gong	crbug-554518, Github
crbug-554908	Patch, Webserver POC	UAF in AppCacheDispatcherHost	CVE-2015-6767, M-47, M-48, reward-10000	gzobqq	-
crbug-551044	Patch, Webserver POC	Memory Corruption in AppCacheUpdateJob	CVE-2015-6766, M-47, M-48, reward-11337	gzobqq	-
crbug-484270	Webserver POC	Heap Overflow in CertificateResourceHandler	M-43	Mark Brand	-
crbug-416449	Full Chain Exploit	OOB Write in P2PHostMsg_Send IPC	CVE-2014-3188, M-38, reward-27634	Jüri Aedla	crbug-416528, WriteUp
crbug-386988	Full Chain Exploit	Logic Bugs in Extension and WebUI	reward-30000	JungHoon Lee	crbug-50275, crbug-367567, crbug-387033, crbug-387037
crbug-352369	Full Chain Exploit	Memory Corruption in Clipboard IPC (Pwn2Own 2014)	M-33	VUPEN	crbug-352395
crbug-319117	Full Chain Exploit	Memory Corruption in Clipboard IPC (Mobile Pwn2Own 2013)	CVE-2013-6632, M-31, M-32	Pinkie Pie	crbug-319125, WriteUp

• It only includes Chrome Browser own Bugs like IPC(Mojo), WebAPI, WebUI, Extension.. (Not included using Kernel Bugs like MWRLab's Pwn2own 2013 Exploit, lokihardt's Pwn2Own 2015 Exploit)
• It only includes Security Bugs that published POC/Exploit from crbug.com.
• It was searched by hands, so there may be something missing.

Permission Denied Issues

Issue Number	Patch Version	Summary	Reporter
crbug-1019226	78.0.3904.87	[$TBD] High CVE-2019-13720: Use-after-free in audio (Not Sure SBX)	Anton Ivanov, Alexey Kulaev
crbug-1001503	78.0.3904.70	[$20000] High CVE-2019-13699: Use-after-free in media	Man Yue Mo
crbug-1005753	77.0.3865.120	[$20500] High CVE-2019-13693: Use-after-free in IndexedDB	Guang Gong
crbug-1004730	77.0.3865.120	[$15000] High CVE-2019-13695: Use-after-free in audio	Man Yue Mo
crbug-1000934	77.0.3865.90	[$TBD] Critical CVE-2019-13685: Use-after-free in UI	Khalil Zhani
crbug-995964	77.0.3865.90	[$20000] High CVE-2019-13688: Use-after-free in media	Man Yue Mo
crbug-998548	77.0.3865.90	[$20000] High CVE-2019-13688: Use-after-free in media	Man Yue Mo
crbug-1000002	77.0.3865.90	[$TBD] High CVE-2019-13686: Use-after-free in offline pages	Brendon Tiszka
crbug-999311	77.0.3865.75	[$30000] Critical CVE-2019-5870: Use-after-free in media	Guang Gong
crbug-981492	77.0.3865.75	[$3000] High CVE-2019-5872: Use-after-free in Mojo	Zhe Jin，Luyao Liu
crbug-989797	77.0.3865.75	[$3000] High CVE-2019-5874: External URIs may trigger other browsers	James Lee
crbug-997190	77.0.3865.75	[$20000] High CVE-2019-5876: Use-after-free in media	Man Yue Mo
crbug-959438	76.0.3809.87	[$TBD] High CVE-2019-5859: Some URIs can load alternative browsers	James Lee

• It only includes Permission Denied Issues posted on Chrome Releases Blog (Latest 3 years).
• It was searched by hands, so there may be something missing, too.

Other Materials

• Blue Forest Security (2019) - Escaping the Chrome Sandbox via an IndexedDB Race Condition
• Tencent Xuanwu Lab (Blackhat Asia 2019) - Attacking Browser Sandbox: Live Persistently and Prosperously
• WCTF 2019 - Mojojojo
• Google CTF 2019 - monochromatic
• Google CTF 2018 - pwn-mojo
• 360 Alpha Team (CanSecWest 2018) - Attacks and analysis of the Samsung S8 from Mobile PWN2OWN
• KEEN Team (DEFCON 24) - Escaping The Sandbox By Not Breaking It
• X41 - Browser Security White Paper
• James Forshaw (Troopers 2016) - The Joy of Sandbox Mitigations
• James Forshaw (Nullcon 2015) - The Windows Sandbox Paradox
• Guang Gong (BlackHat USA 2015) - Fuzzing Android System Services by Binder Call to Escalate Privilege
• A Tale of Two Pwnies (Part 1)
• A Tale Of Two Pwnies (Part 2)