Giter Club home page Giter Club logo

chrome-sbx-db's Introduction

Case Study of Chrome Sandbox Escape

A Collection of Chrome Sandbox Escape POCs/Exploits for learning.

Permission Allowed Issues

Issue Type Summary Label Reporter Links
crbug-1062091 MojoJS POC UAF in InstalledAppProviderImpl M-81, reward-25000 Tim Becker Theori Blog
crbug-1055393 HTML POC UAF in Accessibility M-81, M-82, reward-20000 Pawel Wylecial RedTeam Blog
crbug-1041406 HTML POC UAF in Portals reward-20000 Pawel Wylecial RedTeam Blog
crbug-1035399 Patch POC Site Isolation Bypass in BlobURL CVE-2020-6385, M-79 Sergey Glazunov p0-1991
crbug-1031142 Full Chain Exploit UAF in DesktopMedia, Logic Bug in Extensions (Site Isolation Bypass) CVE-2020-6380, CVE-2020-6424, CVE-2020-6425, CVE-2020-6435, CVE-2020-6485, CVE-2019-13767, M-79, M-80 Sergey Glazunov crbug-1031653, crbug-1031670, crbug-1032158, crbug-1032170, crbug-1038996, crbug-1047285, p0-1985
crbug-1027152 Patch POC Heap Overflow in PasswordFormManager CVE-2019-13726, M-78 Sergey Glazunov p0-1972
crbug-1025067 MojoJS POC UAF in BluetoothAdapter CVE-2019-13725, M-78, M-79, reward-20000 Gengming Liu, Jianyu Chen -
crbug-1024121 MojoJS POC UAF in WebBluetoothServiceImpl CVE-2019-13723, M-78, M-79, reward-20000 Yuxiang Li -
crbug-1024116 MojoJS POC OOB Access in WebBluetoothServiceImpl CVE-2019-13724, M-78, reward-20000 Yuxiang Li -
crbug-1007194 WriteUp UAF in MojoCdmProxyService CVE-2019-13765, M-77, reward-5000 Guang Gong crbug-999311
crbug-1005753 Patch POC UAF in IndexedDB CVE-2019-13693, M-77, M-78, reward-20500 Guang Gong -
crbug-1004730 Patch POC UAF in MojoAudioDecoder CVE-2019-13695, M-77, reward-15000 Man Yue Mo -
crbug-1001503 MojoJS POC UAF in Aura CCVE-2019-13699, M-77, reward-20000 Man Yue Mo -
crbug-1000934 HTML POC UAF in Sharing CVE-2019-13685, M-77, M-78, reward-15000 chromium.khalil -
crbug-1000002 MojoJS POC UAF in OfflinePage2 (Android) CVE-2019-13686, M-76, reward-20000 Brendon Tiszka -
crbug-998548 MojoJS POC UAF in ImageCapture CVE-2019-13687, M-76, M-77, M-78, reward-20000 Man Yue Mo -
crbug-998431 MojoJS POC Heap Overflow in GamepadService CVE-2019-13700, M-77, reward-15000 Man Yue Mo -
crbug-997190 Patch POC UAF in MediaSession (Android) CVE-2019-5876, M-76, reward-20000 Man Yue Mo -
crbug-996741 Patch POC Logic Bug in Payment Handler API M-76 Sergey Glazunov p0-1928
crbug-995964 MojoJS POC UAF in VideoCapture CVE-2019-13688, M-77, M-78, reward-20000 Man Yue Mo -
crbug-993223 HTML POC UAF in Payment M-77, reward-5000 chromium.khalil crbug-992285
crbug-987261 HTML POC Logic Bug in WebUI - Vladimir Metnew -
crbug-986211 Webserver POC Heap Overflow in Network Service M-76 Mark Brand, Sergey Glazunov P0 Blog1, P0 Blog2
crbug-984521 MojoJS POC UAF in IndexedDB IndexedDBConnection::Close M-76 Mark Brand p0-1912
crbug-981873 MojoJS POC UAF in IndexedDB ~LevelDBIteratorImpl M-76 Mark Brand p0-1904
crbug-977462 MojoJS POC UAF in OfflinePage (Android) CVE-2019-5850, M-75, reward-10000 Brendon Tiszka crbug-977195
crbug-972239 MojoJS POC UAF in IndexedDB IndexedDBTransaction::Abort M-76 Mark Brand -
crbug-971702 HTML POC UAF in chrome!content::Portal::Activate M-76, reward-8000 Pawel Wylecial crbug-968142, RedTeam Blog
crbug-966784 MojoJS POC UAF in IndexedDB AbortAllTransactions M-76, reward-5000 cdsrc2016 -
crbug-966762 MojoJS POC UAF in IndexedDB RequestComplete 2 M-76, reward-10500 cdsrc2016 -
crbug-962500 HTML POC Logic Bug in WebUI reward-10000 Michal Bentkowski -
crbug-960484 MojoJS POC UAF in SerialChooserController M-75 jonorman -
crbug-956597 HTML POC UAF in ServiceWorkerPaymentInstrument M-75, M-76, reward-5000 leecraso, Guang Gong -
crbug-948172 Full Chain Exploit Logic Bug in PDF plugin using Pepper Socket API M-75 Sergey Glazunov Full Chain Exploit, crbug-950005, p0-1813, p0-1817
crbug-945370 HTML POC UAF in IndexedDB DeleteRequest M-75, reward-8000 cdsrc2016 -
crbug-942898 HTML POC UAF in IndexedDB RequestComplete M-74, reward-10000 cdsrc2016 -
crbug-941746 Full Chain WriteUp UAF in IndexedDBDatabase (Pwnium 2019) CVE-2019-5826, M-73 Gengming Liu BlackhatUSA2019, POC2019
crbug-941008 MojoJS POC UAF in FileChooserImpl CVE-2019-5809, M-73, M-74, M-75 Mark Brand p0-1803
crbug-925864 MojoJS POC UAF in FileSystemOperationRunner CVE-2019-5788, M-73 Mark Brand p0-1767
crbug-922677 Full Chain Exploit UAF in FileWriterImpl M-71 Mark Brand Full Chain Exploit, p0-1755, P0 Blog
crbug-921581 MojoJS POC UAF in WebMIDI CVE-2019-5789, M-73 Mark Brand p0-1754
crbug-916523 MojoJS POC Double Free in StoragePartitionService CVE-2019-5797, M-73 Mark Brand p0-1744
crbug-916080 MojoJS POC UAF in P2PSocketDispatcherHost M-71 Mark Brand p0-1743
crbug-912947 MojoJS POC UAF in PaymentRequest M-72 Mark Brand p0-1735
crbug-912520 MojoJS POC UAF in MediaStream M-72 Mark Brand p0-1730
crbug-888926 Full Chain Exploit UaF in Appcache (Hack2Win 2018) CVE-2018-17462, M-69, M-70 Ned Williamson, Niklas Baumstark POC2018, 35C3, Github, OffensiveCon2019
crbug-888366 HTML POC UAF in WebAudio M-70, M-71, reward-5500 cdsrc2016 -
crbug-877182 Patch POC OOB Read/Write in Mojo DataPipe deserialization CVE-2018-16068, M-68 Mark Brand -
crbug-842990 Patch POC UAF in IndexedDB Connection CVE-2018-6127, M-66, reward-10000 Looben Yang -
crbug-835887 Full Chain Exploit Logic Bug in "filesystem:" Scheme URL, PDF Plugin, Extension, WebUI M-67, M-68, reward-40633.7 Sergey Glazunov crbug-836362, crbug-836859, crbug-836858, crbug-840857
crbug-831963 Patch POC UAF in In-memory Cache 2 CVE-2018-6118, M-66, M-67, M-68, reward-10500 Ned Williamson -
crbug-827492 Patch POC UAF in In-memory Cache CVE-2018-6086, M-66, reward-10500 Ned Williamson -
crbug-826626 Patch POC UAF in Blockfile Media Cache CVE-2018-6085, M-66, reward-10000 Ned Williamson -
crbug-794969 Patch POC OOB Read in deserializing Mojo "Event" messages M-65 Gal Beniamini -
crbug-791003 Patch POC Logic Bug in "catalog" service CVE-2018-6055, M-65 Gal Beniamini -
crbug-780708 WriteUp Logic Bug in Android “googlechrome:” Scheme URL (Mobile Pwn2Own 2017) M-65 ? -
crbug-779314 Patch POC OOB Read in Blob CVE-2017-15416, M-65, reward-2500 Ned Williamson -
crbug-778505 Patch POC OOB Write in QUIC CVE-2017-15407, M-65, reward-10500 Ned Williamson -
crbug-777728 Patch POC Stack Overflow in QUIC CVE-2017-15398, M-76, reward-10500 Ned Williamson -
crbug-728887 Patch POC UAF in IndexedDB OpenCursor CVE-2017-5091, M-60, reward-10000 Ned Williamson -
crbug-725032 Patch POC UAF in IndexedDB Transactions CVE-2017-5087, M-58, M-60, M-61, reward-10500 Ned Williamson -
crbug-698622 HTML POC UAF in Printing CVE-2017-5055, M-57, M-58, reward-9337 Wadih Matar -
crbug-664551 Full Chain Exploit Logic Bug in Android Play Store (PWNFest 2016) M-55 Guang Gong Github
crbug-659489 Full Chain WriteUp Logic Bug in Android "content:" Scheme URL, File Download (Mobile Pwn2Own 2016) M-54 Robert Miller, Georgi Geshev crbug-659492, WriteUp
crbug-659474 Full Chain WriteUp Logic Bug in Android "intent:" Scheme URL, IPC (Mobile Pwn2Own 2016) M-54 Qidan He, Gengming Liu crbug-659477, WriteUp, CSW2017
crbug-610600 Frida Exploit Logic Bug in PPAPI/Flash Broker CVE-2016-1706, M-52, reward-15000 Pinkie Pie -
crbug-595834 Full Chain Exploit Logic Bug in GPU, WebUI, SmartScreen (Pwn2Own 2016) - JungHoon Lee crbug-595844, crbug-596862, WriteUp
crbug-590284 Patch POC UAF in RenderWidgetHostImpl CVE-2016-1647, M-49, M-50, reward-10500 gzobqq -
crbug-564501 Patch POC UAF in MidiHost M-48 Oliver Chang -
crbug-558589 Webserver POC UAF in AppCacheUpdateJob CVE-2015-6765, M-47, M-48, reward-10000 gzobqq -
crbug-554946 Full Chain WriteUp Logic Bug in Android Play Store (Mobile Pwn2Own 2015) CVE-2015-6764, M-47, reward-7500 Guang Gong crbug-554518, Github
crbug-554908 Patch, Webserver POC UAF in AppCacheDispatcherHost CVE-2015-6767, M-47, M-48, reward-10000 gzobqq -
crbug-551044 Patch, Webserver POC Memory Corruption in AppCacheUpdateJob CVE-2015-6766, M-47, M-48, reward-11337 gzobqq -
crbug-484270 Webserver POC Heap Overflow in CertificateResourceHandler M-43 Mark Brand -
crbug-416449 Full Chain Exploit OOB Write in P2PHostMsg_Send IPC CVE-2014-3188, M-38, reward-27634 Jüri Aedla crbug-416528, WriteUp
crbug-386988 Full Chain Exploit Logic Bugs in Extension and WebUI reward-30000 JungHoon Lee crbug-367567, crbug-387033, crbug-387037, crbug-50275
crbug-352369 Full Chain Exploit Memory Corruption in Clipboard IPC (Pwn2Own 2014) M-33 VUPEN crbug-352395, Google Presentation
crbug-319117 Full Chain Exploit Memory Corruption in Clipboard IPC (Mobile Pwn2Own 2013) CVE-2013-6632, M-31, M-32 Pinkie Pie crbug-319125, WriteUp

Permission Denied Issues

Issue Number Chromium Review Summary Reporter
crbug-1073015 bug:1073015 [83.0.4103.61][$20000] High CVE-2020-6465: Use after free in reader mode Woojin Oh (@pwn_expoit)
crbug-1074706 bug:1074706 [83.0.4103.61][$15000] High CVE-2020-6466: Use after free in media Zhe Jin
crbug-1064891 bug:1064891 [81.0.4044.129][$10000] High CVE-2020-6462: Use after free in task scheduling Zhe Jin
crbug-1072983 bug:1072983 [81.0.4044.129][$TBD] High CVE-2020-6461: Use after free in storage Zhe Jin
crbug-1065298 bug:1065298 [81.0.4044.122][$20000] High CVE-2020-6459: Use after free in payments Zhe Jin
crbug-1063566 bug:1063566 [81.0.4044.122][$15000] High CVE-2020-6460: Insufficient data validation in URL formatting Anonymous
crbug-1067851 bug:1067851 [81.0.4044.113][$TBD] Critical CVE-2020-6457: Use after free in speech recognizer Leecraso, Guang Gong
crbug-1019161 bug:1019161 [81.0.4044.92][$7500] High CVE-2020-6454: Use after free in extensions Leecraso, Guang Gong
crbug-1059349 bug:1059349 [80.0.3987.149][$N/A] High CVE-2019-20503: Out of bounds read in usersctplib Natalie Silvanovich
crbug-999311 bug:999311 [77.0.3865.75][$30000] Critical CVE-2019-5870: Use-after-free in media Guang Gong
crbug-989797 bug:989797 [77.0.3865.75][$3000] High CVE-2019-5874: External URIs may trigger other browsers James Lee
crbug-959438 bug:959438 [76.0.3809.87][$TBD] High CVE-2019-5859: Some URIs can load alternative browsers James Lee
  • It only includes Permission Denied Issues posted on Chrome Releases Blog (Latest 3 years).
  • It was searched by hands, so there may be something missing, too.

Chrome Sandbox Internals

Awesome Chrome Sandbox Escape

chrome-sbx-db's People

Contributors

allpaca avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

bb33bb up777 atorninja asnine asked637 m00zh33 trichimtrich idkwim sts0mrg0 r0cu3 imulmul thomasking2014 fengjixuchui ufwt lovesuae sigma-random giantbranchcollect killvxk crackercat kswgit s3ize singi jackyyvan phymanwow thatmomentisover pventuzelo m4rm0k cybermonitor neuqcsa devkw nikaiw kkomdal lifa123 superuser5 l0vecoffee pwnfuzzsec henices cor3sm4sh3r 0x02null qiaoguanli c0de3 flatl1neapt alpha0king pirenga mmg1 n1f2c3 jack51706 dev20190101 asdyxcyxc crawl3r hackerpain 0verflowme freeide tracesrc lanph3re de4dcr0w sung3r insecuritea seba9527 graham382 baek9 khushmanvar chachamarwa bwry fuzzingace shadowce ktzgraph the-mog ctfpwner easonjyc fuzzheaded ha1vk 2y2s1mple cronos996 mang0cola testitesti22 joydo zh1x1an alvarofe jenxp 4v4loon fdlucifer timb-machine-mirrors dawuge ruan777 maldiohead deeby zkhalidul yanshu911 whulls 0x424 dothanthitiendiettiende e10514001 aahmad097 sgupta38 bigric3 flankersky agatignol seanpm2001 paklovpavel

chrome-sbx-db's Issues

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.