🎥 The Hole in Sandbox: Escape Modern Web-Based App Sandbox From Site-Isolation Perspective
Nachrichtenbereich: 🎥 IT Security Video
🔗 Quelle: youtube.com
Author: Black Hat - Bewertung: 6x - Views:40
Process isolation is a crucial security feature in the Chrome browser. In the early stages, process isolation was only implemented as out-of-process render (Sandboxed Renderer). With the emergence of new attack methods such as UXSS and Spectre, which can steal or speculate on data from the render process, Chrome introduced the concept of Site Isolation, advocating for a more refined process isolation. It gradually introduced multiple security strategies, standing from the perspective of defending against attacks in the user login state, preventing attackers from stealing user data.
In this talk, we initially found an exploitation method applicable to Chrome for Android, transitioning from a renderer Remote Code Execution (RCE) to Universal Cross-Site Scripting (UXSS). We can inject JavaScript code into the majority of websites with this method. However, in the threat model envisioned by Google Chrome, this method cannot cause further harm. However, Chromium is used as a browser component in the development of applications on various platforms, such as libcef, webview, etc. Is our exploit method effective in these scenarios?
Through research, we found that application developers often implement certain privileged APIs, which allow browser components loaded with whitelisted domains to execute certain high-risk operations. The most important, these operations does not require the user to maintain a logged-in state on the webpage, which breaks Chrome's current defense strategy against Site Isolation.
We researched three categories of applications with different site-isolation levels: PC-based libcef applications, pre-installed mobile browsers, and Android Webview applications. As expected, we found a series of security issues. These vulnerabilities allow attackers to escape the Chrome sandbox from a compromised sandboxed renderer. Specifically, we can achieve remote code execution, silently install and launch arbitrary applications, steal user private data and other high-risk malicious behaviors.
By:
Bohan Liu | Senior Security Researcher, Tencent Security Xuanwu Lab
Haibin Shi | Senior Security Researcher, Tencent Security Xuanwu Lab
Full Abstract & Presentation Materials:
https://www.blackhat.com/asia-24/briefings/schedule/#the-hole-in-sandbox-escape-modern-web-based-app-sandbox-from-site-isolation-perspective-37166
💾 Escape Covid-19 - Online Escape Game Deutsch
📈 24.54 Punkte
💾 Downloads
🕵️ High CVE-2020-11108: Pi-hole Pi-hole
📈 24.48 Punkte
🕵️ Sicherheitslücken
🕵️ Low CVE-2020-35592: Pi-hole Pi-hole
📈 24.48 Punkte
🕵️ Sicherheitslücken
🕵️ Low CVE-2020-35659: Pi-hole Pi-hole
📈 24.48 Punkte
🕵️ Sicherheitslücken
🕵️ Medium CVE-2020-8816: Pi-hole Pi-hole
📈 24.48 Punkte
🕵️ Sicherheitslücken
⚠️ [local] Microsoft Internet Explorer 11 - Sandbox Escape
📈 20.78 Punkte
⚠️ PoC
💾 virtualenv 16.0.0 Sandbox Escape
📈 20.78 Punkte
💾 IT Security Tools
⚠️ Apple iOS Sandbox Escape
📈 20.78 Punkte
⚠️ PoC
💾 iOS / MacOS iohideventsystem Sandbox Escape
📈 20.78 Punkte
💾 IT Security Tools