Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- The author of this post was exploiting a Windows vulnerability to escape the Chrome renderer Sandbox to become SYSTEM. The original vulnerability is a time of check, time of use (TOCTOU) issue on a user-provided pointer. By changing the userland pointer to be a kernel address, we obtain a partially controlled write.
- In just Windows, this was a straightforward exploit. Once you use the bug to overwrite the
Controlbitfield inSepMediumDaclSd, it will skip the integrity check. Next, get the token of the renderer process viaNtQueryInformationSystem. These steps are the same for the Chrome sandbox escape, but there are a few additional steps to take. - From the Chrome sandbox, this wasn't the case, though. The integrity level is untrusted, the job disallows the creation of child processes, and there was no privileges on the token. So, using this vulnerability requires some more work to exploit in this case.
- When trying to call
NtQuerySystemInformationto get a token, they got an access denied error because the renderprocess runs at a low privilege level. To fix this issue, they used the previous OOB write to overwrite theSE_SACL_PRESENTfield to skip the integrity control check. Since this was a 32-byte write, they had to be clever at the byte offset to do this at though. - The second issue was another access issue around job integrity. The renderer process cannot call
CreateProcess. The solution? Inject the code from the renderer process into another process (winlogon.exe) and have it callCreateProcessinstead. This gives them code execution as a privileged user from Chrome!
