Case Study of Chrome Sandbox Escape

A Collection of Chrome Sandbox Escape POCs/Exploits for learning.

Permission Allowed Issues

Issue	Type	Summary	Label	Reporter	Links
crbug-1005753	Patch POC	UAF in IndexedDB	CVE-2019-13693, M-77, M-78, reward-20500	Guang Gong	-
crbug-1004730	Patch POC	UAF in MojoAudioDecoder	CVE-2019-13695, M-77, reward-15000	Man Yue Mo	-
crbug-1001503	MojoJS POC	UAF in Aura	CCVE-2019-13699, M-77, reward-20000	Man Yue Mo	-
crbug-1000934	HTML POC	UAF in Sharing	CVE-2019-13685, M-77, M-78, reward-15000	chromium.khalil	-
crbug-1000002	MojoJS POC	UAF in OfflinePage2 (Android)	CVE-2019-13686, M-76, reward-20000	Brendon Tiszka	-
crbug-998548	MojoJS POC	UAF in ImageCapture	CVE-2019-13687, M-76, M-77, M-78, reward-20000	Man Yue Mo	-
crbug-998431	MojoJS POC	Heap Overflow in GamepadService	CVE-2019-13700, M-77, reward-15000	Man Yue Mo	-
crbug-997190	Patch POC	UAF in MediaSession (Android)	CVE-2019-5876, M-76, reward-20000	Man Yue Mo	-
crbug-996741	Patch POC	Logic Bug in Payment Handler API	M-76	Sergey Glazunov	p0-1928
crbug-995964	MojoJS POC	UAF in VideoCapture	CVE-2019-13688, M-77, M-78, reward-20000	Man Yue Mo	-
crbug-993223	HTML POC	UAF in Payment	M-77, reward-5000	chromium.khalil	crbug-992285
crbug-987261	HTML POC	Logic Bug in WebUI	-	Vladimir Metnew	-
crbug-984521	MojoJS POC	UAF in IndexedDB IndexedDBConnection::Close	M-76	Mark Brand	p0-1912
crbug-981873	MojoJS POC	UAF in IndexedDB ~LevelDBIteratorImpl	M-76	Mark Brand	p0-1904
crbug-977462	MojoJS POC	UAF in OfflinePage (Android)	CVE-2019-5850, M-75, reward-10000	Brendon Tiszka	crbug-977195
crbug-972239	MojoJS POC	UAF in IndexedDB IndexedDBTransaction::Abort	M-76	Mark Brand	-
crbug-971702	HTML POC	UAF in chrome!content::Portal::Activate	M-76, reward-8000	Pawel Wylecial	crbug-968142, RedTeam Blog
crbug-966784	MojoJS POC	UAF in IndexedDB AbortAllTransactions	M-76, reward-5000	cdsrc2016	-
crbug-966762	MojoJS POC	UAF in IndexedDB RequestComplete 2	M-76, reward-10500	cdsrc2016	-
crbug-962500	HTML POC	Logic Bug in WebUI	reward-10000	Michal Bentkowski	-
crbug-960484	MojoJS POC	UAF in SerialChooserController	M-75	jonorman	-
crbug-956597	HTML POC	UAF in ServiceWorkerPaymentInstrument	M-75, M-76, reward-5000	leecraso, Guang Gong	-
crbug-948172	Full Chain Exploit	Logic Bug in PDF plugin using Pepper Socket API	M-75	Sergey Glazunov	Full Chain Exploit, crbug-950005, p0-1813, p0-1817
crbug-945370	HTML POC	UAF in IndexedDB DeleteRequest	M-75, reward-8000	cdsrc2016	-
crbug-942898	HTML POC	UAF in IndexedDB RequestComplete	M-74, reward-10000	cdsrc2016	-
crbug-941746	Full Chain WriteUp	UAF in IndexedDBDatabase (Pwnium 2019)	CVE-2019-5826, M-73	Gengming Liu	BlackhatUSA2019, POC2019
crbug-941008	MojoJS POC	UAF in FileChooserImpl	CVE-2019-5809, M-73, M-74, M-75	Mark Brand	p0-1803
crbug-925864	MojoJS POC	UAF in FileSystemOperationRunner	CVE-2019-5788, M-73	Mark Brand	p0-1767
crbug-922677	Full Chain Exploit	UAF in FileWriterImpl	M-71	Mark Brand	Full Chain Exploit, p0-1755, P0 Blog
crbug-921581	MojoJS POC	UAF in WebMIDI	CVE-2019-5789, M-73	Mark Brand	p0-1754
crbug-916523	MojoJS POC	Double Free in StoragePartitionService	CVE-2019-5797, M-73	Mark Brand	p0-1744
crbug-916080	MojoJS POC	UAF in P2PSocketDispatcherHost	M-71	Mark Brand	p0-1743
crbug-912947	MojoJS POC	UAF in PaymentRequest	M-72	Mark Brand	p0-1735
crbug-912520	MojoJS POC	UAF in MediaStream	M-72	Mark Brand	p0-1730
crbug-888926	Full Chain Exploit	UaF in Appcache (Hack2Win 2018)	CVE-2018-17462, M-69, M-70	Ned Williamson, Niklas Baumstark	POC2018, 35C3, Github, OffensiveCon2019
crbug-888366	HTML POC	UAF in WebAudio	M-70, M-71, reward-5500	cdsrc2016	-
crbug-877182	Patch POC	OOB Read/Write in Mojo DataPipe deserialization	CVE-2018-16068, M-68	Mark Brand	-
crbug-842990	Patch POC	UAF in IndexedDB Connection	CVE-2018-6127, M-66, reward-10000	Looben Yang	-
crbug-835887	Full Chain Exploit	Logic Bug in "filesystem:" Scheme URL, PDF Plugin, Extension, WebUI	M-67, M-68, reward-40633.7	Sergey Glazunov	crbug-836362, crbug-836859, crbug-836858, crbug-840857
crbug-831963	Patch POC	UAF in In-memory Cache 2	CVE-2018-6118, M-66, M-67, M-68, reward-10500	Ned Williamson	-
crbug-827492	Patch POC	UAF in In-memory Cache	CVE-2018-6086, M-66, reward-10500	Ned Williamson	-
crbug-826626	Patch POC	UAF in Blockfile Media Cache	CVE-2018-6085, M-66, reward-10000	Ned Williamson	-
crbug-794969	Patch POC	OOB Read in deserializing Mojo "Event" messages	M-65	Gal Beniamini	-
crbug-791003	Patch POC	Logic Bug in "catalog" service	CVE-2018-6055, M-65	Gal Beniamini	-
crbug-780708	WriteUp	Logic Bug in Android “googlechrome:” Scheme URL (Mobile Pwn2Own 2017)	M-65	?	-
crbug-779314	Patch POC	OOB Read in Blob	CVE-2017-15416, M-65, reward-2500	Ned Williamson	-
crbug-778505	Patch POC	OOB Write in QUIC	CVE-2017-15407, M-65, reward-10500	Ned Williamson	-
crbug-777728	Patch POC	Stack Overflow in QUIC	CVE-2017-15398, M-76, reward-10500	Ned Williamson	-
crbug-728887	Patch POC	UAF in IndexedDB OpenCursor	CVE-2017-5091, M-60, reward-10000	Ned Williamson	-
crbug-725032	Patch POC	UAF in IndexedDB Transactions	CVE-2017-5087, M-58, M-60, M-61, reward-10500	Ned Williamson	-
crbug-698622	HTML POC	UAF in Printing	CVE-2017-5055, M-57, M-58, reward-9337	Wadih Matar	-
crbug-664551	Full Chain Exploit	Logic Bug in Android Play Store (PWNFest 2016)	M-55	Guang Gong	Github
crbug-659489	Full Chain WriteUp	Logic Bug in Android "content:" Scheme URL, File Download (Mobile Pwn2Own 2016)	M-54	Robert Miller, Georgi Geshev	crbug-659492, WriteUp
crbug-659474	Full Chain WriteUp	Logic Bug in Android "intent:" Scheme URL, IPC (Mobile Pwn2Own 2016)	M-54	Qidan He, Gengming Liu	crbug-659477, WriteUp, CSW2017
crbug-610600	Frida Exploit	Logic Bug in PPAPI/Flash Broker	CVE-2016-1706, M-52, reward-15000	Pinkie Pie	-
crbug-595834	Full Chain Exploit	Logic Bug in GPU, WebUI, SmartScreen (Pwn2Own 2016)	-	JungHoon Lee	crbug-595844, crbug-596862, WriteUp
crbug-590284	Patch POC	UAF in RenderWidgetHostImpl	CVE-2016-1647, M-49, M-50, reward-10500	gzobqq	-
crbug-564501	Patch POC	UAF in MidiHost	M-48	Oliver Chang	-
crbug-558589	Webserver POC	UAF in AppCacheUpdateJob	CVE-2015-6765, M-47, M-48, reward-10000	gzobqq	-
crbug-554946	Full Chain WriteUp	Logic Bug in Android Play Store (Mobile Pwn2Own 2015)	CVE-2015-6764, M-47, reward-7500	Guang Gong	crbug-554518, Github
crbug-554908	Patch, Webserver POC	UAF in AppCacheDispatcherHost	CVE-2015-6767, M-47, M-48, reward-10000	gzobqq	-
crbug-551044	Patch, Webserver POC	Memory Corruption in AppCacheUpdateJob	CVE-2015-6766, M-47, M-48, reward-11337	gzobqq	-
crbug-484270	Webserver POC	Heap Overflow in CertificateResourceHandler	M-43	Mark Brand	-
crbug-416449	Full Chain Exploit	OOB Write in P2PHostMsg_Send IPC	CVE-2014-3188, M-38, reward-27634	Jüri Aedla	crbug-416528, WriteUp
crbug-386988	Full Chain Exploit	Logic Bugs in Extension and WebUI	reward-30000	JungHoon Lee	crbug-367567, crbug-387033, crbug-387037, crbug-50275
crbug-352369	Full Chain Exploit	Memory Corruption in Clipboard IPC (Pwn2Own 2014)	M-33	VUPEN	crbug-352395, Google Presentation
crbug-319117	Full Chain Exploit	Memory Corruption in Clipboard IPC (Mobile Pwn2Own 2013)	CVE-2013-6632, M-31, M-32	Pinkie Pie	crbug-319125, WriteUp

It only includes Chrome Browser own Bugs like IPC(Mojo), WebAPI, WebUI, Extension.. (Not included using Kernel Bugs like MWRLab's Pwn2own 2013 Exploit, lokihardt's Pwn2Own 2015 Exploit)
It only includes Security Bugs that published POC/Exploit from crbug.com.
It was searched by hands, so there may be something missing.

Permission Denied Issues

Issue Number	Patch Version	Summary	Reporter
crbug-1018677	79.0.3945.130	[$TBD] Critical CVE-2020-6378: Use-after-free in speech recognizer	Antti Levomäki, Christian Jalio
crbug-1032170	79.0.3945.130	[$N/A] High CVE-2020-6380: Extension message verification error	Sergei Glazunov
crbug-1025067	79.0.3945.79	[$20000] Critical CVE-2019-13725: Use after free in Bluetooth	Gengming Liu, Jianyu Chen
crbug-1027152	79.0.3945.79	[$TBD] Critical CVE-2019-13726: Heap buffer overflow in password manager, p0-1972	Sergei Glazunov
crbug-1024121	78.0.3904.108	[$TBD] High CVE-2019-13723: Use-after-free in Bluetooth	Yuxiang Li
crbug-1024116	78.0.3904.108	[$TBD] High CVE-2019-13724: Out-of-bounds access in Bluetooth	Yuxiang Li
crbug-999311	77.0.3865.75	[$30000] Critical CVE-2019-5870: Use-after-free in media	Guang Gong
crbug-989797	77.0.3865.75	[$3000] High CVE-2019-5874: External URIs may trigger other browsers	James Lee
crbug-959438	76.0.3809.87	[$TBD] High CVE-2019-5859: Some URIs can load alternative browsers	James Lee

It only includes Permission Denied Issues posted on Chrome Releases Blog (Latest 3 years).
It was searched by hands, so there may be something missing, too.

lifa123 / chrome-sbx-db Goto Github PK

chrome-sbx-db's Introduction

Case Study of Chrome Sandbox Escape

Permission Allowed Issues

Permission Denied Issues

Chrome Sandbox Internals

Other Materials

chrome-sbx-db's People

Contributors

Watchers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent