A Collection of Chrome Sandbox Escape POCs/Exploits for learning.
| Issue | Type | Summary | Label | Reporter | Links |
|---|---|---|---|---|---|
| crbug-1032170 | WriteUp | Logic Bug in Extension message verification | CVE-2020-6380, M-79 | Sergey Glazunov | crbug-1031670 |
| crbug-1031653 | Patch POC | UAF in Desktop Media Picker | CVE-2019-13767, M-79 | Sergey Glazunov | p0-1985, crbug-1031142 |
| crbug-1031142 | Full Chain Exploit | Logic Bug in Extensions (Site Isolation Bypass) | CVE-2019-13767, M-79 | Sergey Glazunov | crbug-1031670 |
| crbug-1027152 | Patch POC | Heap Overflow in PasswordFormManager | CVE-2019-13726, M-78 | Sergey Glazunov | p0-1972 |
| crbug-1025067 | MojoJS POC | UAF in BluetoothAdapter | CVE-2019-13725, M-78, M-79, reward-20000 | Gengming Liu, Jianyu Chen | - |
| crbug-1024121 | MojoJS POC | UAF in WebBluetoothServiceImpl | CVE-2019-13723, M-78, M-79, reward-20000 | Yuxiang Li | - |
| crbug-1024116 | MojoJS POC | OOB Access in WebBluetoothServiceImpl | CVE-2019-13724, M-78, reward-20000 | Yuxiang Li | - |
| crbug-1007194 | WriteUp | UAF in MojoCdmProxyService | CVE-2019-13765, M-77, reward-5000 | Guang Gong | crbug-999311 |
| crbug-1005753 | Patch POC | UAF in IndexedDB | CVE-2019-13693, M-77, M-78, reward-20500 | Guang Gong | - |
| crbug-1004730 | Patch POC | UAF in MojoAudioDecoder | CVE-2019-13695, M-77, reward-15000 | Man Yue Mo | - |
| crbug-1001503 | MojoJS POC | UAF in Aura | CCVE-2019-13699, M-77, reward-20000 | Man Yue Mo | - |
| crbug-1000934 | HTML POC | UAF in Sharing | CVE-2019-13685, M-77, M-78, reward-15000 | chromium.khalil | - |
| crbug-1000002 | MojoJS POC | UAF in OfflinePage2 (Android) | CVE-2019-13686, M-76, reward-20000 | Brendon Tiszka | - |
| crbug-998548 | MojoJS POC | UAF in ImageCapture | CVE-2019-13687, M-76, M-77, M-78, reward-20000 | Man Yue Mo | - |
| crbug-998431 | MojoJS POC | Heap Overflow in GamepadService | CVE-2019-13700, M-77, reward-15000 | Man Yue Mo | - |
| crbug-997190 | Patch POC | UAF in MediaSession (Android) | CVE-2019-5876, M-76, reward-20000 | Man Yue Mo | - |
| crbug-996741 | Patch POC | Logic Bug in Payment Handler API | M-76 | Sergey Glazunov | p0-1928 |
| crbug-995964 | MojoJS POC | UAF in VideoCapture | CVE-2019-13688, M-77, M-78, reward-20000 | Man Yue Mo | - |
| crbug-993223 | HTML POC | UAF in Payment | M-77, reward-5000 | chromium.khalil | crbug-992285 |
| crbug-987261 | HTML POC | Logic Bug in WebUI | - | Vladimir Metnew | - |
| crbug-986211 | Webserver POC | Heap Overflow in Network Service | M-76 | Mark Brand, Sergey Glazunov | P0 Blog1, P0 Blog2 |
| crbug-984521 | MojoJS POC | UAF in IndexedDB IndexedDBConnection::Close | M-76 | Mark Brand | p0-1912 |
| crbug-981873 | MojoJS POC | UAF in IndexedDB ~LevelDBIteratorImpl | M-76 | Mark Brand | p0-1904 |
| crbug-977462 | MojoJS POC | UAF in OfflinePage (Android) | CVE-2019-5850, M-75, reward-10000 | Brendon Tiszka | crbug-977195 |
| crbug-972239 | MojoJS POC | UAF in IndexedDB IndexedDBTransaction::Abort | M-76 | Mark Brand | - |
| crbug-971702 | HTML POC | UAF in chrome!content::Portal::Activate | M-76, reward-8000 | Pawel Wylecial | crbug-968142, RedTeam Blog |
| crbug-966784 | MojoJS POC | UAF in IndexedDB AbortAllTransactions | M-76, reward-5000 | cdsrc2016 | - |
| crbug-966762 | MojoJS POC | UAF in IndexedDB RequestComplete 2 | M-76, reward-10500 | cdsrc2016 | - |
| crbug-962500 | HTML POC | Logic Bug in WebUI | reward-10000 | Michal Bentkowski | - |
| crbug-960484 | MojoJS POC | UAF in SerialChooserController | M-75 | jonorman | - |
| crbug-956597 | HTML POC | UAF in ServiceWorkerPaymentInstrument | M-75, M-76, reward-5000 | leecraso, Guang Gong | - |
| crbug-948172 | Full Chain Exploit | Logic Bug in PDF plugin using Pepper Socket API | M-75 | Sergey Glazunov | Full Chain Exploit, crbug-950005, p0-1813, p0-1817 |
| crbug-945370 | HTML POC | UAF in IndexedDB DeleteRequest | M-75, reward-8000 | cdsrc2016 | - |
| crbug-942898 | HTML POC | UAF in IndexedDB RequestComplete | M-74, reward-10000 | cdsrc2016 | - |
| crbug-941746 | Full Chain WriteUp | UAF in IndexedDBDatabase (Pwnium 2019) | CVE-2019-5826, M-73 | Gengming Liu | BlackhatUSA2019, POC2019 |
| crbug-941008 | MojoJS POC | UAF in FileChooserImpl | CVE-2019-5809, M-73, M-74, M-75 | Mark Brand | p0-1803 |
| crbug-925864 | MojoJS POC | UAF in FileSystemOperationRunner | CVE-2019-5788, M-73 | Mark Brand | p0-1767 |
| crbug-922677 | Full Chain Exploit | UAF in FileWriterImpl | M-71 | Mark Brand | Full Chain Exploit, p0-1755, P0 Blog |
| crbug-921581 | MojoJS POC | UAF in WebMIDI | CVE-2019-5789, M-73 | Mark Brand | p0-1754 |
| crbug-916523 | MojoJS POC | Double Free in StoragePartitionService | CVE-2019-5797, M-73 | Mark Brand | p0-1744 |
| crbug-916080 | MojoJS POC | UAF in P2PSocketDispatcherHost | M-71 | Mark Brand | p0-1743 |
| crbug-912947 | MojoJS POC | UAF in PaymentRequest | M-72 | Mark Brand | p0-1735 |
| crbug-912520 | MojoJS POC | UAF in MediaStream | M-72 | Mark Brand | p0-1730 |
| crbug-888926 | Full Chain Exploit | UaF in Appcache (Hack2Win 2018) | CVE-2018-17462, M-69, M-70 | Ned Williamson, Niklas Baumstark | POC2018, 35C3, Github, OffensiveCon2019 |
| crbug-888366 | HTML POC | UAF in WebAudio | M-70, M-71, reward-5500 | cdsrc2016 | - |
| crbug-877182 | Patch POC | OOB Read/Write in Mojo DataPipe deserialization | CVE-2018-16068, M-68 | Mark Brand | - |
| crbug-842990 | Patch POC | UAF in IndexedDB Connection | CVE-2018-6127, M-66, reward-10000 | Looben Yang | - |
| crbug-835887 | Full Chain Exploit | Logic Bug in "filesystem:" Scheme URL, PDF Plugin, Extension, WebUI | M-67, M-68, reward-40633.7 | Sergey Glazunov | crbug-836362, crbug-836859, crbug-836858, crbug-840857 |
| crbug-831963 | Patch POC | UAF in In-memory Cache 2 | CVE-2018-6118, M-66, M-67, M-68, reward-10500 | Ned Williamson | - |
| crbug-827492 | Patch POC | UAF in In-memory Cache | CVE-2018-6086, M-66, reward-10500 | Ned Williamson | - |
| crbug-826626 | Patch POC | UAF in Blockfile Media Cache | CVE-2018-6085, M-66, reward-10000 | Ned Williamson | - |
| crbug-794969 | Patch POC | OOB Read in deserializing Mojo "Event" messages | M-65 | Gal Beniamini | - |
| crbug-791003 | Patch POC | Logic Bug in "catalog" service | CVE-2018-6055, M-65 | Gal Beniamini | - |
| crbug-780708 | WriteUp | Logic Bug in Android “googlechrome:” Scheme URL (Mobile Pwn2Own 2017) | M-65 | ? | - |
| crbug-779314 | Patch POC | OOB Read in Blob | CVE-2017-15416, M-65, reward-2500 | Ned Williamson | - |
| crbug-778505 | Patch POC | OOB Write in QUIC | CVE-2017-15407, M-65, reward-10500 | Ned Williamson | - |
| crbug-777728 | Patch POC | Stack Overflow in QUIC | CVE-2017-15398, M-76, reward-10500 | Ned Williamson | - |
| crbug-728887 | Patch POC | UAF in IndexedDB OpenCursor | CVE-2017-5091, M-60, reward-10000 | Ned Williamson | - |
| crbug-725032 | Patch POC | UAF in IndexedDB Transactions | CVE-2017-5087, M-58, M-60, M-61, reward-10500 | Ned Williamson | - |
| crbug-698622 | HTML POC | UAF in Printing | CVE-2017-5055, M-57, M-58, reward-9337 | Wadih Matar | - |
| crbug-664551 | Full Chain Exploit | Logic Bug in Android Play Store (PWNFest 2016) | M-55 | Guang Gong | Github |
| crbug-659489 | Full Chain WriteUp | Logic Bug in Android "content:" Scheme URL, File Download (Mobile Pwn2Own 2016) | M-54 | Robert Miller, Georgi Geshev | crbug-659492, WriteUp |
| crbug-659474 | Full Chain WriteUp | Logic Bug in Android "intent:" Scheme URL, IPC (Mobile Pwn2Own 2016) | M-54 | Qidan He, Gengming Liu | crbug-659477, WriteUp, CSW2017 |
| crbug-610600 | Frida Exploit | Logic Bug in PPAPI/Flash Broker | CVE-2016-1706, M-52, reward-15000 | Pinkie Pie | - |
| crbug-595834 | Full Chain Exploit | Logic Bug in GPU, WebUI, SmartScreen (Pwn2Own 2016) | - | JungHoon Lee | crbug-595844, crbug-596862, WriteUp |
| crbug-590284 | Patch POC | UAF in RenderWidgetHostImpl | CVE-2016-1647, M-49, M-50, reward-10500 | gzobqq | - |
| crbug-564501 | Patch POC | UAF in MidiHost | M-48 | Oliver Chang | - |
| crbug-558589 | Webserver POC | UAF in AppCacheUpdateJob | CVE-2015-6765, M-47, M-48, reward-10000 | gzobqq | - |
| crbug-554946 | Full Chain WriteUp | Logic Bug in Android Play Store (Mobile Pwn2Own 2015) | CVE-2015-6764, M-47, reward-7500 | Guang Gong | crbug-554518, Github |
| crbug-554908 | Patch, Webserver POC | UAF in AppCacheDispatcherHost | CVE-2015-6767, M-47, M-48, reward-10000 | gzobqq | - |
| crbug-551044 | Patch, Webserver POC | Memory Corruption in AppCacheUpdateJob | CVE-2015-6766, M-47, M-48, reward-11337 | gzobqq | - |
| crbug-484270 | Webserver POC | Heap Overflow in CertificateResourceHandler | M-43 | Mark Brand | - |
| crbug-416449 | Full Chain Exploit | OOB Write in P2PHostMsg_Send IPC | CVE-2014-3188, M-38, reward-27634 | Jüri Aedla | crbug-416528, WriteUp |
| crbug-386988 | Full Chain Exploit | Logic Bugs in Extension and WebUI | reward-30000 | JungHoon Lee | crbug-367567, crbug-387033, crbug-387037, crbug-50275 |
| crbug-352369 | Full Chain Exploit | Memory Corruption in Clipboard IPC (Pwn2Own 2014) | M-33 | VUPEN | crbug-352395, Google Presentation |
| crbug-319117 | Full Chain Exploit | Memory Corruption in Clipboard IPC (Mobile Pwn2Own 2013) | CVE-2013-6632, M-31, M-32 | Pinkie Pie | crbug-319125, WriteUp |
- It only includes Chrome Browser own Bugs like IPC(Mojo), WebAPI, WebUI, Extension.. (Not included using Kernel Bugs like MWRLab's Pwn2own 2013 Exploit, lokihardt's Pwn2Own 2015 Exploit)
- It only includes Security Bugs that published POC/Exploit from crbug.com.
- It was searched by hands, so there may be something missing.
| Issue Number | Chromium Review | Summary | Reporter |
|---|---|---|---|
| crbug-1019161 | bug:1019161 | [81.0.4044.92][$7500] High CVE-2020-6454: Use after free in extensions | Leecraso, Guang Gong |
| crbug-1059349 | bug:1059349 | [80.0.3987.149][$N/A] High CVE-2019-20503: Out of bounds read in usersctplib | Natalie Silvanovich |
| crbug-1031670 | bug:1031670 | [80.0.3987.149][$N/A] High CVE-2020-6425: Insufficient policy enforcement in extensions | Sergei Glazunov |
| crbug-1045931 | bug:1045931 | [80.0.3987.122][N/A] High CVE-2020-6407: Out of bounds memory access in streams (Not Sure SBX) | Sergei Glazunov |
| crbug-1035399 | bug:1035399 | [80.0.3987.122] [N/A] High CVE-2020-6385: Insufficient policy enforcement in storage, p0-1991 | Sergei Glazunov |
| crbug-1018677 | bug:1018677 | [79.0.3945.130] [$TBD] Critical CVE-2020-6378: Use-after-free in speech recognizer | Antti Levomäki, Christian Jalio |
| crbug-999311 | bug:999311 | [77.0.3865.75][$30000] Critical CVE-2019-5870: Use-after-free in media | Guang Gong |
| crbug-989797 | bug:989797 | [77.0.3865.75][$3000] High CVE-2019-5874: External URIs may trigger other browsers | James Lee |
| crbug-959438 | bug:959438 | [76.0.3809.87][$TBD] High CVE-2019-5859: Some URIs can load alternative browsers | James Lee |
- It only includes Permission Denied Issues posted on Chrome Releases Blog (Latest 3 years).
- It was searched by hands, so there may be something missing, too.
- Stanford seclab - The Security Architecture of the Chromium Browser (2008), PPT
- Chromium Docs - Sandbox
- Chromium Docs - Sandbox FAQ
- Chromium Docs - WebUI Explainer
- Chromium Docs - Mojo
- Chromium Docs - Intro to Mojo & Services
- Chromium Docs - Mojo Basics
- Chromium Docs - Mojo IDL
- Chromium Docs - Mojo C System API
- Chromium Docs - Mojo C++ Bindings API
- Chromium Docs - Mojo JavaScript Bindings API
- Chromium Docs - Mojo “Style” Guide
- Chromium Docs - Converting Legacy IPC to Mojo
- Chromium Docs - The Service Manager & Services
- Chromium Docs - Service Development Guidelines
- Chromium Docs - Servicifying Chromium Features
- Google Docs - Chrome Service Model
- Google Docs - Mojo Tutorial
- Google Docs - Blob Servicification
- Google Docs - Device Service in Chromium
- Google Docs - Device Service: Technical Approach
- Google Docs - Device Service: Extraction from the Content Layer
- Google Docs - Identity Service in Chromium
- Google Docs - Identity Service: Technical Approach
- Google Docs - Serving the Identity Extension API via the Identity Service
- Google Docs - Network Service in Chrome
- Google Docs - Network Service Conversion Cheat Sheet
- Google Docs - Error Handling in Network Service
- Google Docs - Restartable Network Service
- Google Docs - Notes on Mojo-ifying Safe Browsing's URL Check
- Google Docs - Per-Profile Mojo Services
- Google Docs - Pref Service
- Google Drawing - Chrome Security Architecture
- Google PDF - bpf_dsl: A domain-specific language for seccomp-bpf policies
- The Chromium Projects - OSX Sandboxing Design
- The Chromium Projects - Security Tips for IPC
- hidd3ncod3s blog - Chrome IPC Internals
- Blue Forest Security (2020) - Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox
- Blue Forest Security (2020) - Exploiting CVE-2020-0041 - Part 2: Escalating to root
- Project Zero Blog - Escaping the Chrome Sandbox with RIDL (2020)
- Abdulrahman Al-Qabandi Blog (2019) - Microsoft Edge (Chromium): EoP via XSS to Potential RCE
- Blue Forest Security (2019) - Escaping the Chrome Sandbox via an IndexedDB Race Condition
- Exodus Intelligence (2019) - WINDOWS WITHIN WINDOWS: ESCAPING THE CHROME SANDBOX WITH A WIN32K NDAY
- Tencent Xuanwu Lab (Blackhat Asia 2019) - Attacking Browser Sandbox: Live Persistently and Prosperously
- Flanker Sky (2019) - Galaxy Leapfrogging: Pwning the Galaxy S8
- WCTF 2019 - Mojojojo
- Eternal Stories (2019) - Google CTF 2019 monochromatic writeup
- Google CTF 2018 - pwn-mojo
- 360 Alpha Team (CanSecWest 2018) - Attacks and analysis of the Samsung S8 from Mobile PWN2OWN
- Microsoft Blog - Browser security beyond sandboxing (2017)
- X41 - Browser Security White Paper (2017)
- KEEN Team (CanSecWest 2017) - Pwning the Nexus of Every Pixel
- KEEN Team (DEFCON24 2016) - Escaping The Sandbox By Not Breaking It
- James Forshaw (Troopers 2016) - The Joy of Sandbox Mitigations
- James Forshaw (Nullcon 2015) - The Windows Sandbox Paradox
- Guang Gong (BlackHat USA 2015) - Fuzzing Android System Services by Binder Call to Escalate Privilege
- A Tale of Two Pwnies (Part 1)
- A Tale Of Two Pwnies (Part 2)