Google Chrome Privilege Escalation Bug (CWE-264) Identified

A security researcher has identified a dangerous security vulnerability in the Google Chrome web browser which involves a privilege escalation.

Google Chrome Bug (CWE-264) Found

A security alert has notified us that there is a new Google Chrome vulnerability which is tracked under the CWE-264 advisory. The problem was reported by the security researcher jannh and involves a privilege escalation bug in the web browser. The vulnerability allows attackers to compromise a normal rendering process through a website which can lead to an extension context privilege escalation. To be exploited the user must be signed on and the Sync feature needs to be turned on. The vulnerability demonstrated that using only a compromised rendered it is possible to conduct dangerous privilege escalation attacks.

The vulnerability can be activated by the attacker by obtaining an oauth token with the following scope:

“https://www.googleapis.com/auth/chromesync

The process can be performed on the victim machine by following these instructions:

  1. Navigate to data:text/html, https://developers.google.com/oauthplayground/
  2. Check the PID of the renderer process
  3. Click Start
  4. Enter scope “https://www.googleapis.com/auth/chromesync”
  5. Press “Authorize APIs”
  6. Verify that the PID is still the same
  7. Press “Allow”
  8. Verify that the PID is still the same
  9. Press “Exchange authorization code for tokens”
  10. Copy the acess token

As the PID has not change it is clear that all of the operations are performed in their original rendered process. The obtained token by the attacker can be used to connect to Chrome’s sync server and push arbitrary extensions to the host machines. Such attacks are possible by building Chrome with a patch that allows the attackers to connect to the victim’s account only by using their email address and the access token.
The vulnerability can be exploited by building the Google Chrome application using the above-mentioned patch and signed with custom credentials. This patched version of the browser is then syncronized with the victim’s own Chrome browser and any other extensions installed from the web store. The permissions requests are only shown to the attacker and not the target computer user.

A successful demonstration was performed on Google Chrome version 54.0.2840.100 stable on a Gnu/Linux distribution. The advisory description of the CWE-264 advisory reads the following:

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *