Researchers discovered critical vulnerabilities in Chromium that enabled malicious Chrome extensions to bypass the browser’s sandbox and execute arbitrary code on the host system, which could potentially allow attackers to gain complete control of the user’s device.
Chrome WebUIs, privileged pages written in web technologies, can bypass the sandbox and execute untrusted code. To mitigate risks, Chromium validates API calls to prevent unauthorized actions, but vulnerabilities may still exist.
Enterprise policies allow administrators to remotely control Chrome settings, including disabling user features and changing device behavior, which are typically managed through Google’s servers but can also be set locally on Linux using root permissions.
The Chromium WebUI provides a way to view and export policies applied to the device. However, it lacks the ability to edit these policies directly, as there might be an undocumented feature to do this, but it’s not officially supported.
A Chrome Beta/Dev/Canary feature (chrome://policy/test) allows policy testing via private API calls by bypassing intended functionality and directly setting user policies through the browser console, raising security concerns.
The bug occurs because the IsPolicyTestingEnabled function in Chromium incorrectly determines the browser’s release channel, which leads to the function always returning true, regardless of the actual channel.
As a result, the PolicyTestPageEnabled policy is effectively bypassed, allowing users to set test policies even when the page is disabled.
By manipulating Chrome’s Browser Switcher policy, it can exploit the AlternativeBrowserPath to launch arbitrary shell commands via JavaScript on chrome://policy, which bypasses Chrome’s sandbox on Linux, MacOS, and Windows.
The researcher found that a Chrome extension can exploit a vulnerability in the chrome.devtools.inspectedWindow.reload() API to execute arbitrary code on privileged WebUI pages.
This is achieved by opening devtools on a normal page, sending a reload request with an injected script before Chrome disables the API, and then navigating to a WebUI page where the script is executed.
A developer tools extension exploits a race condition in chrome.devtools.inspectedWindow.reload to achieve code execution on privileged Chrome pages by leveraging the temporary about:blank state during navigation.
While exploiting a race condition in chrome.devtools.inspectedWindow.reload to inject a javascript payload into chrome://policy, the payload sets custom user policies to enable browser switcher and launch a shell command.
The Ading describes a Chrome extension vulnerability that leverages a flaw in the handling of inspectedWindow.reload() API calls, where the exploit abuses the fact that debugger requests persist after a tab crash and injects a script that crashes the tab a second time, allowing for arbitrary code execution.
The researcher reported a high-severity vulnerability in Google Chrome that could potentially lead to remote code execution, as Google quickly confirmed and fixed the issue, assigning CVE-2024-5836 and CVE-2024-6778, while the researcher was also rewarded $20,000 for their discovery.
