Attacking Chrome IPC Reliably finding bugs to escape the Chrome sandbox

nedwill

54 min

54 min 2018-12-29

2018-12-29 3785

3785 Fahrplan

Playlists: '35c3' videos starting here

In this talk, I discuss how to reliably find bugs in the Chrome IPC system with the goal of escaping the sandbox. I show how to enumerate the attack surface, how to identify the weak areas, and how to fuzz those areas efficiently to consistently produce bugs.

Since the win32k lockdown on the Chrome renderer process, full chain Chrome exploits on Windows have become very rare, with the most recent successful competition exploit occurring in 2015.

By applying new fuzzing strategies, I was able to identify many vulnerabilities in the sandbox in the past year, one of which I used to demonstrate a full chain exploit at Hack2Win this year when combined with a teammate's RCE bug.

In this talk I hope to show how I found these bugs by using extremely targeted fuzzing in a way that was easy to setup but reliably had great results, and briefly cover how we leveraged one use after free bug to fully escape the sandbox.

https://twitter.com/NedWilliamson/status/1043150732742946816

Download

Related

Embed Share:







Tags