Escaping the Chrome Sandbox with RIDL

  • Thread starter ForgottenSeer 85179
  • Start date
F

ForgottenSeer 85179

Thread author
tl;dr: Vulnerabilities that leak cross process memory can be exploited to escape the Chrome sandbox. An attacker is still required to compromise the renderer prior to mounting this attack. To protect against attacks on affected CPUs make sure your microcode is up to date and disable hyper-threading (HT).

In this post, we will take a look at the sandbox and in particular at the impact of RIDL and similar hardware vulnerabilities when used from a compromised renderer. Chrome’s IPC mechanism Mojo is based on secrets for message routing and leaking these secrets allows us to send messages to privileged interfaces and perform actions that the renderer shouldn’t be allowed to do. We will use this to read arbitrary local files as well as execute a .bat file outside of the sandbox on Windows. At the time of writing, both Apple and Microsoft are actively working on a fix to prevent this attack in collaboration with the Chrome security team.

Text is very technical and with code samples, so i doesn't quote the whole post.
 

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
I don't think there are any users willing to disable hyper-threading (HT) for a bug that has its effect on Chrome.
It would be interesting to wonder if other chrome-based browsers also have the same vulnerability.
 
F

ForgottenSeer 85179

Thread author
I don't think there are any users willing to disable hyper-threading (HT) for a bug that has its effect on Chrome.
It would be interesting to wonder if other chrome-based browsers also have the same vulnerability.
Chrome and Firefox had this problem back to last? year once. Both make their own protections against but it looks that Intel HT is still problematic and i also wonder why Chrome still have this problems.

Also i think that activate the protections against Side Channel attacks would help, even without disable HT.
 
  • Like
Reactions: [correlate]

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
Chrome has suffered more from sandbox bypassing.
I always say that a sandbox is as strong as the system on which it rests is strong.
And however strong a system may be, there will always be weaknesses.
If there are weak points in the system (Kernel etc etc ...) the sandbox also shows its weakness.
 
F

ForgottenSeer 823865

Thread author
Chrome has suffered more from sandbox bypassing.
I always say that a sandbox is as strong as the system on which it rests is strong.
And however strong a system may be, there will always be weaknesses.
If there are weak points in the system (Kernel etc etc ...) the sandbox also shows its weakness.
note mentioning fork bombs, memory escapes, etc...
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top