Niklas Baumstark

IPC you outside the sandbox: One bug to rule the Chrome broker

Abstract

A single bug in the Chrome broker process found by Ned Williamson was enough for the two of us to fully escape the sandbox on Windows. I will provide insights into our exploitation approach, generic exploitation primitives available in the broker process and how to stage an IPC-based exploit from the renderer process.

Bugs in the kernel attack surface of the Chrome browser are harder and harder to come by, yet many interesting and complex components of the browser still live in the privileged broker browser and interact with unprivileged renderer processes using different IPC mechanisms.
I will describe an interesting use-after-free vulnerability found by Ned Williamson, which we exploited together and chained with a V8 bug by saelo to fully compromise Chrome. This talk will focus on how the IPC exploit was staged from the renderer and the exploitation primitives available in the broker that allowed us to develop a reliable exploit without an additional information leak.

BIO

Niklas Baumstark is an independent security researcher with an interest in reverse engineering and binary exploitation. He has publicly demonstrated exploits against Apple, Google, Mozilla and Oracle products. Besides breaking real software, he loves playing and organizing Capture-The-Flag events.