Another Way to Talk with Browser: Exploiting Chrome at Network Layer

Presented at Black Hat USA 2022, Aug. 11, 2022, 2:30 p.m. (30 minutes)

Networking is a critical and complex task for browsers. It ranges from high level JavaScript APIs, all the way down to managing every socket connection. Services on remote servers can control every single byte sent to the browser during communication, which might lead to memory safety issues when the browser parses the inputs. But apart from these security issues due to data processing, are there other logic bugs from a higher-level view? Can this type of bug be exploited and how?

In this presentation, we will show how we discovered several bugs in the Chrome network stack and exploited them to compromise the renderer process and escaped the Chrome sandbox. We will discuss the design problems of resource fetching/caching and one of the transport layer protocols embedded in Chrome. We will illustrate how server-side responses can affect browser behavior, which results in security bugs. Finally, we will detail the exploit strategy of these bugs which we used to win the Chrome category in the Tianfu Cup 2021 Cybersecurity Contest.

Presenters:

• Guang Gong - Tech Leader, 360 Vulnerability Research Institute
  Guang Gong is a senior security researcher of 360 Security and the team leader of 360 Alpha Lab. His research interests include Windows rootkits, virtualization, and Cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android vulnerabilities. He and his team have found more than 300 vulnerabilities of Google and Qualcomm. He has pwned various Android devices in many hacking competitions. A recently discovered exploit chain helped him win the highest reward in the history of all Google VRP programs.
• Rong Jian - Security Researcher, 360 Vulnerability Research Institute
  Rong Jian (@__R0ng) is a security researcher at 360 Vulnerability Research Institute. His research focuses on Browser security. He was a winner of the Chrome category in the Tianfu Cup 2020 / 2021 Cybersecurity Contest.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#another-way-to-talk-with-browser-exploiting-chrome-at-network-layer-26905

Similar Presentations:

• Black Hat USA 2012 / Advanced Chrome Extension Exploitation - Leveraging API Powers for the Better Evil
• Black Hat Europe 2020 Virtual / Shield with Hole: New Security Mitigation Helps Us Escape Chrome Sandbox to Exfiltrate User Privacy
• Black Hat USA 2021 / Put in One Bug and Pop Out More: An Effective Way of Bug Hunting in Chrome