/chrome-sbx-db

A Collection of Chrome Sandbox Escape POCs/Exploits for learning

MIT LicenseMIT

Case Study of Chrome Sandbox Escape

A Collection of Chrome Sandbox Escape POCs/Exploits for learning.

Permission Allowed Issues

Issue Type Summary Label Reporter Links
crbug-1032170 WriteUp Logic Bug in Extension message verification CVE-2020-6380, M-79 Sergey Glazunov crbug-1031670
crbug-1031653 Patch POC UAF in Desktop Media Picker CVE-2019-13767, M-79 Sergey Glazunov p0-1985, crbug-1031142
crbug-1031142 Full Chain Exploit Logic Bug in Extensions (Site Isolation Bypass) CVE-2019-13767, M-79 Sergey Glazunov crbug-1031670
crbug-1027152 Patch POC Heap Overflow in PasswordFormManager CVE-2019-13726, M-78 Sergey Glazunov p0-1972
crbug-1025067 MojoJS POC UAF in BluetoothAdapter CVE-2019-13725, M-78, M-79, reward-20000 Gengming Liu, Jianyu Chen -
crbug-1024121 MojoJS POC UAF in WebBluetoothServiceImpl CVE-2019-13723, M-78, M-79, reward-20000 Yuxiang Li -
crbug-1024116 MojoJS POC OOB Access in WebBluetoothServiceImpl CVE-2019-13724, M-78, reward-20000 Yuxiang Li -
crbug-1007194 WriteUp UAF in MojoCdmProxyService CVE-2019-13765, M-77, reward-5000 Guang Gong crbug-999311
crbug-1005753 Patch POC UAF in IndexedDB CVE-2019-13693, M-77, M-78, reward-20500 Guang Gong -
crbug-1004730 Patch POC UAF in MojoAudioDecoder CVE-2019-13695, M-77, reward-15000 Man Yue Mo -
crbug-1001503 MojoJS POC UAF in Aura CCVE-2019-13699, M-77, reward-20000 Man Yue Mo -
crbug-1000934 HTML POC UAF in Sharing CVE-2019-13685, M-77, M-78, reward-15000 chromium.khalil -
crbug-1000002 MojoJS POC UAF in OfflinePage2 (Android) CVE-2019-13686, M-76, reward-20000 Brendon Tiszka -
crbug-998548 MojoJS POC UAF in ImageCapture CVE-2019-13687, M-76, M-77, M-78, reward-20000 Man Yue Mo -
crbug-998431 MojoJS POC Heap Overflow in GamepadService CVE-2019-13700, M-77, reward-15000 Man Yue Mo -
crbug-997190 Patch POC UAF in MediaSession (Android) CVE-2019-5876, M-76, reward-20000 Man Yue Mo -
crbug-996741 Patch POC Logic Bug in Payment Handler API M-76 Sergey Glazunov p0-1928
crbug-995964 MojoJS POC UAF in VideoCapture CVE-2019-13688, M-77, M-78, reward-20000 Man Yue Mo -
crbug-993223 HTML POC UAF in Payment M-77, reward-5000 chromium.khalil crbug-992285
crbug-987261 HTML POC Logic Bug in WebUI - Vladimir Metnew -
crbug-986211 Webserver POC Heap Overflow in Network Service M-76 Mark Brand, Sergey Glazunov P0 Blog1, P0 Blog2
crbug-984521 MojoJS POC UAF in IndexedDB IndexedDBConnection::Close M-76 Mark Brand p0-1912
crbug-981873 MojoJS POC UAF in IndexedDB ~LevelDBIteratorImpl M-76 Mark Brand p0-1904
crbug-977462 MojoJS POC UAF in OfflinePage (Android) CVE-2019-5850, M-75, reward-10000 Brendon Tiszka crbug-977195
crbug-972239 MojoJS POC UAF in IndexedDB IndexedDBTransaction::Abort M-76 Mark Brand -
crbug-971702 HTML POC UAF in chrome!content::Portal::Activate M-76, reward-8000 Pawel Wylecial crbug-968142, RedTeam Blog
crbug-966784 MojoJS POC UAF in IndexedDB AbortAllTransactions M-76, reward-5000 cdsrc2016 -
crbug-966762 MojoJS POC UAF in IndexedDB RequestComplete 2 M-76, reward-10500 cdsrc2016 -
crbug-962500 HTML POC Logic Bug in WebUI reward-10000 Michal Bentkowski -
crbug-960484 MojoJS POC UAF in SerialChooserController M-75 jonorman -
crbug-956597 HTML POC UAF in ServiceWorkerPaymentInstrument M-75, M-76, reward-5000 leecraso, Guang Gong -
crbug-948172 Full Chain Exploit Logic Bug in PDF plugin using Pepper Socket API M-75 Sergey Glazunov Full Chain Exploit, crbug-950005, p0-1813, p0-1817
crbug-945370 HTML POC UAF in IndexedDB DeleteRequest M-75, reward-8000 cdsrc2016 -
crbug-942898 HTML POC UAF in IndexedDB RequestComplete M-74, reward-10000 cdsrc2016 -
crbug-941746 Full Chain WriteUp UAF in IndexedDBDatabase (Pwnium 2019) CVE-2019-5826, M-73 Gengming Liu BlackhatUSA2019, POC2019
crbug-941008 MojoJS POC UAF in FileChooserImpl CVE-2019-5809, M-73, M-74, M-75 Mark Brand p0-1803
crbug-925864 MojoJS POC UAF in FileSystemOperationRunner CVE-2019-5788, M-73 Mark Brand p0-1767
crbug-922677 Full Chain Exploit UAF in FileWriterImpl M-71 Mark Brand Full Chain Exploit, p0-1755, P0 Blog
crbug-921581 MojoJS POC UAF in WebMIDI CVE-2019-5789, M-73 Mark Brand p0-1754
crbug-916523 MojoJS POC Double Free in StoragePartitionService CVE-2019-5797, M-73 Mark Brand p0-1744
crbug-916080 MojoJS POC UAF in P2PSocketDispatcherHost M-71 Mark Brand p0-1743
crbug-912947 MojoJS POC UAF in PaymentRequest M-72 Mark Brand p0-1735
crbug-912520 MojoJS POC UAF in MediaStream M-72 Mark Brand p0-1730
crbug-888926 Full Chain Exploit UaF in Appcache (Hack2Win 2018) CVE-2018-17462, M-69, M-70 Ned Williamson, Niklas Baumstark POC2018, 35C3, Github, OffensiveCon2019
crbug-888366 HTML POC UAF in WebAudio M-70, M-71, reward-5500 cdsrc2016 -
crbug-877182 Patch POC OOB Read/Write in Mojo DataPipe deserialization CVE-2018-16068, M-68 Mark Brand -
crbug-842990 Patch POC UAF in IndexedDB Connection CVE-2018-6127, M-66, reward-10000 Looben Yang -
crbug-835887 Full Chain Exploit Logic Bug in "filesystem:" Scheme URL, PDF Plugin, Extension, WebUI M-67, M-68, reward-40633.7 Sergey Glazunov crbug-836362, crbug-836859, crbug-836858, crbug-840857
crbug-831963 Patch POC UAF in In-memory Cache 2 CVE-2018-6118, M-66, M-67, M-68, reward-10500 Ned Williamson -
crbug-827492 Patch POC UAF in In-memory Cache CVE-2018-6086, M-66, reward-10500 Ned Williamson -
crbug-826626 Patch POC UAF in Blockfile Media Cache CVE-2018-6085, M-66, reward-10000 Ned Williamson -
crbug-794969 Patch POC OOB Read in deserializing Mojo "Event" messages M-65 Gal Beniamini -
crbug-791003 Patch POC Logic Bug in "catalog" service CVE-2018-6055, M-65 Gal Beniamini -
crbug-780708 WriteUp Logic Bug in Android “googlechrome:” Scheme URL (Mobile Pwn2Own 2017) M-65 ? -
crbug-779314 Patch POC OOB Read in Blob CVE-2017-15416, M-65, reward-2500 Ned Williamson -
crbug-778505 Patch POC OOB Write in QUIC CVE-2017-15407, M-65, reward-10500 Ned Williamson -
crbug-777728 Patch POC Stack Overflow in QUIC CVE-2017-15398, M-76, reward-10500 Ned Williamson -
crbug-728887 Patch POC UAF in IndexedDB OpenCursor CVE-2017-5091, M-60, reward-10000 Ned Williamson -
crbug-725032 Patch POC UAF in IndexedDB Transactions CVE-2017-5087, M-58, M-60, M-61, reward-10500 Ned Williamson -
crbug-698622 HTML POC UAF in Printing CVE-2017-5055, M-57, M-58, reward-9337 Wadih Matar -
crbug-664551 Full Chain Exploit Logic Bug in Android Play Store (PWNFest 2016) M-55 Guang Gong Github
crbug-659489 Full Chain WriteUp Logic Bug in Android "content:" Scheme URL, File Download (Mobile Pwn2Own 2016) M-54 Robert Miller, Georgi Geshev crbug-659492, WriteUp
crbug-659474 Full Chain WriteUp Logic Bug in Android "intent:" Scheme URL, IPC (Mobile Pwn2Own 2016) M-54 Qidan He, Gengming Liu crbug-659477, WriteUp, CSW2017
crbug-610600 Frida Exploit Logic Bug in PPAPI/Flash Broker CVE-2016-1706, M-52, reward-15000 Pinkie Pie -
crbug-595834 Full Chain Exploit Logic Bug in GPU, WebUI, SmartScreen (Pwn2Own 2016) - JungHoon Lee crbug-595844, crbug-596862, WriteUp
crbug-590284 Patch POC UAF in RenderWidgetHostImpl CVE-2016-1647, M-49, M-50, reward-10500 gzobqq -
crbug-564501 Patch POC UAF in MidiHost M-48 Oliver Chang -
crbug-558589 Webserver POC UAF in AppCacheUpdateJob CVE-2015-6765, M-47, M-48, reward-10000 gzobqq -
crbug-554946 Full Chain WriteUp Logic Bug in Android Play Store (Mobile Pwn2Own 2015) CVE-2015-6764, M-47, reward-7500 Guang Gong crbug-554518, Github
crbug-554908 Patch, Webserver POC UAF in AppCacheDispatcherHost CVE-2015-6767, M-47, M-48, reward-10000 gzobqq -
crbug-551044 Patch, Webserver POC Memory Corruption in AppCacheUpdateJob CVE-2015-6766, M-47, M-48, reward-11337 gzobqq -
crbug-484270 Webserver POC Heap Overflow in CertificateResourceHandler M-43 Mark Brand -
crbug-416449 Full Chain Exploit OOB Write in P2PHostMsg_Send IPC CVE-2014-3188, M-38, reward-27634 Jüri Aedla crbug-416528, WriteUp
crbug-386988 Full Chain Exploit Logic Bugs in Extension and WebUI reward-30000 JungHoon Lee crbug-367567, crbug-387033, crbug-387037, crbug-50275
crbug-352369 Full Chain Exploit Memory Corruption in Clipboard IPC (Pwn2Own 2014) M-33 VUPEN crbug-352395, Google Presentation
crbug-319117 Full Chain Exploit Memory Corruption in Clipboard IPC (Mobile Pwn2Own 2013) CVE-2013-6632, M-31, M-32 Pinkie Pie crbug-319125, WriteUp

Permission Denied Issues

Issue Number Chromium Review Summary Reporter
crbug-1019161 bug:1019161 [81.0.4044.92][$7500] High CVE-2020-6454: Use after free in extensions Leecraso, Guang Gong
crbug-1059349 bug:1059349 [80.0.3987.149][$N/A] High CVE-2019-20503: Out of bounds read in usersctplib Natalie Silvanovich
crbug-1031670 bug:1031670 [80.0.3987.149][$N/A] High CVE-2020-6425: Insufficient policy enforcement in extensions Sergei Glazunov
crbug-1045931 bug:1045931 [80.0.3987.122][N/A] High CVE-2020-6407: Out of bounds memory access in streams (Not Sure SBX) Sergei Glazunov
crbug-1035399 bug:1035399 [80.0.3987.122] [N/A] High CVE-2020-6385: Insufficient policy enforcement in storage, p0-1991 Sergei Glazunov
crbug-1018677 bug:1018677 [79.0.3945.130] [$TBD] Critical CVE-2020-6378: Use-after-free in speech recognizer Antti Levomäki, Christian Jalio
crbug-999311 bug:999311 [77.0.3865.75][$30000] Critical CVE-2019-5870: Use-after-free in media Guang Gong
crbug-989797 bug:989797 [77.0.3865.75][$3000] High CVE-2019-5874: External URIs may trigger other browsers James Lee
crbug-959438 bug:959438 [76.0.3809.87][$TBD] High CVE-2019-5859: Some URIs can load alternative browsers James Lee
  • It only includes Permission Denied Issues posted on Chrome Releases Blog (Latest 3 years).
  • It was searched by hands, so there may be something missing, too.

Chrome Sandbox Internals

Other Materials