The write up can be found here. This is a Chrome bug I reported in May 2021. The GitHub Advisory can be found here and the Chrome Issue here. The bug can be used to escape the Chrome sandbox from a compromised renderer.
Two exploits are included, one for the 64 bit version 90.0.4430.91 and the other is for the 32 bit version 88.0.4324.181. The build configs are in the corresponding sub directories.
To test, follow the instructions for the corresponding versions to build the binary, then install the resulting apks (under out/<target>/apks) on the phone using adb, then enable the MojoJS feature to simulate a compromised renderer:
- Enable
Enable command line on non-rooted devicesfromchrome://flags - Create a file in
/data/local/tmp/chrome-command-linein the phone and then addchrome --enable-blink-features=MojoJSto the file - Force stop Chrome and restart
As explained in the write up, this bug requires a credit card to be stored in the user account. To simulate the behaviour locally, a patch is applied to the browser side code to treat a local card as a remote card. This still requires a credit card to store on the tested device as a payment method. I do not recommend using real card details for this purpose. For testing, the following steps can be used:
- In the testing version of Chrome, go to
Settings > Payment Methodsand selectAdd card. - Enter
4111 1111 1111 1111as the card number, this should be recognized as a Visa card. (I found this in some code comment and I can only hope that this is not the real card number of some dedicated developer)
Then create a directory to host the html files included in this directory, and run copy_mojo_js_bindings.py to copy the mojo bindings to the directory and host the files on localhost:
python ./copy_mojo_js_bindings.py /path/to/chrome/../out/<target>/gen
python -m SimpleHTTPServer
Then open the page http://localhost:8000/trigger2_64.html or http://localhost:8000/trigger2_32.html (depending on the version) from Chrome on the device. The easiest way is to use the chrome://inspect/#devices tool to set up the proxies etc. and open the url.
If successful, the shell command will run and a file called pwn will be created in the directory /data/data/org.chromium.chrome/ in the phone. This should succeed most of the time.