Shield with Hole: New Security Mitigation Helps Us Escape Chrome Sandbox to Exfiltrate User Privacy presented at BlackHatEurope 2020

by Yongke Shi,

Summary : More security mitigations always mean securer software and more exploit cost. Chrome browser keeps introducing all kinds of security mitigation measures such as multi-process architecture[1], sandbox and CORS, which help Chrome become one of the securest browsers all over the world.However, we find that some mitigation won't make software safer but even introduce new vulnerabilities. Recently, network stack can be set out of 'Chrome browser process', running as a separate process called 'Network service'. And a new mitigation named 'OutOfBlinkCors'[2] (aka OOR-CORS) has landed in 'Network service'. We find that the Same-Origin policy will be broken if 'OutOfBlinkCors' is enabled on Chrome for Android. After a period of deep research, we succeed in developing a full exploit chain with six bugs/features to escape Chrome Sandbox to exfiltrate user privacy, such as personal pictures, private documents, and even clear text account credentials(username and password) of Google, Facebook and other third-party websites. And our exploit chain can be triggered inside Chrome Sandbox remotely, once the link in SMS, Email or websites is clicked. Besides Chrome for Android, Android webview is also vulnerable to the above bugs. We will choose one app called 'Wish' as a demo to show the attack effects.The process of our research is very interesting. Originally, our exploit chain works well on version 81 of Chrome for Android. But the chain is broken because of a fix of version 83. Finally, we come up with an interesting exploit skill to bypass it with the help of a pre-installed app in Pixel device, we name the exploit skill as 'reflection attack'. In this talk, we will detail the full exploit chain and analyze the Root-Cause of bugs in the chain. We will also demystify the trick which we have used to bypass the Scoped-Storage[3] enforcing, which is a mitigation measure introduced in Android 10. Besides, we will explain how we can escape Chrome Sandbox to carry out the attack. The bug chain has been reported to Google, assigned as 'Critical' severity, which is the most serious level in Chrome Vulnerability Reward Program.In short, security mitigations are designed to help protect against vulnerabilities, but it can introduce new vulnerabilities if implemented carelessly. To developers, more attention should be paid to avoid negative effects when introducing new mitigations. To security researchers, new mitigations could be good targets for bug hunting.