We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Breaking the Chrome Sandbox with Mojo
Leaking a port name in Chrome's Mojo framework can lead to sandbox escape and exploit, introducing a tight race window and denial of service vulnerability.
- Leaking a port name in Chrome’s Mojo framework can lead to sandbox escape and exploit.
- A socket pair is created, keeping one end and sending the other back, allowing for communication with the network process.
- The browser process does not have a direct connection to the renderer, but can be introduced through the network process.
- A privileged port name is required to communicate with the network process.
- A tight race window exists when the network process is alive, allowing for exploitation.
- The network process can be crashed, causing a denial of service.
- A patch introduced a check for the “introduce” message, but it was later ignored.
- A third bug allowed for the introduction of a new node in the network.
- The network process can be spawned again if it crashes, but the renderer will still have access.
- A node name can be reused by sending a message to the broker node.
- The network process has a connection to the renderer, but it’s not direct.
- The renderer can request a URL load from the network process.
- The network process can be exploited through a privileged port name.
- A privileged port name can be used to communicate with the network process.
- The renderer can request a URL load from the network process, allowing for exploitation.
- The network process has a connection to the renderer, but it’s not direct.
- The renderer can request a URL load from the network process.
- The network process can be exploited through a privileged port name.