A Collection of Chrome Sandbox Escape POCs/Exploits for learning.
| Issue | Type | Summary | Label | Reporter | Links |
|---|---|---|---|---|---|
| crbug-984521 | MojoJS POC | UAF in IndexedDB IndexedDBConnection::Close | M-76 | Mark Brand | p0-1912 |
| crbug-981873 | MojoJS POC | UAF in IndexedDB ~LevelDBIteratorImpl | M-76 | Mark Brand | p0-1904 |
| crbug-977462 | MojoJS POC | UAF in OfflinePage | CVE-2019-5850, M-75, reward-10000 | Brendon Tiszka | - |
| crbug-972239 | MojoJS POC | UAF in IndexedDB IndexedDBTransaction::Abort | M-76 | Mark Brand | - |
| crbug-971702 | HTML POC | UAF in chrome!content::Portal::Activate | M-76, reward-8000 | Pawel Wylecial | - |
| crbug-966784 | MojoJS POC | UAF in IndexedDB AbortAllTransactions | M-76, reward-5000 | cdsrc2016 | - |
| crbug-966762 | MojoJS POC | UAF in IndexedDB RequestComplete 2 | M-76, reward-10500 | cdsrc2016 | - |
| crbug-956597 | HTML POC | UAF in ServiceWorkerPaymentInstrument | M-75, M-76, reward-5000 | leecraso, Guang Gong | - |
| crbug-960484 | MojoJS POC | UAF in SerialChooserController | M-75 | jonorman | - |
| crbug-948172 | Full Chain Exploit | PDF plugin is allowed to use Pepper Socket API | M-75 | Sergey Glazunov | Full Chain Exploit, crbug-950005, p0-1813, p0-1817 |
| crbug-945370 | HTML POC | UAF in IndexedDB DeleteRequest | M-75, reward-8000 | cdsrc2016 | - |
| crbug-942898 | HTML POC | UAF in IndexedDB RequestComplete | M-74, reward-10000 | cdsrc2016 | - |
| crbug-941746 | Full Chain WriteUp | UAF in IndexedDBDatabase (Pwnium 2019) | CVE-2019-5826, M-73 | Gengming Liu | BlackhatUSA2019 |
| crbug-941008 | MojoJS POC | UAF in FileChooserImpl | CVE-2019-5809, M-73, M-74, M-75 | Mark Brand | p0-1803 |
| crbug-925864 | MojoJS POC | UAF in FileSystemOperationRunner | CVE-2019-5788, M-73 | Mark Brand | p0-1767 |
| crbug-922677 | Full Chain Exploit | UAF in FileWriterImpl | M-71 | Mark Brand | Full Chain Exploit, p0-1755, P0 Blog |
| crbug-921581 | MojoJS POC | UAF in WebMIDI | CVE-2019-5789, M-73 | Mark Brand | p0-1754 |
| crbug-916523 | MojoJS POC | Double Free in StoragePartitionService | CVE-2019-5797, M-73 | Mark Brand | p0-1744 |
| crbug-916080 | MojoJS POC | UAF in P2PSocketDispatcherHost | M-71 | Mark Brand | p0-1743 |
| crbug-912947 | MojoJS POC | UAF in PaymentRequest | M-72 | Mark Brand | p0-1735 |
| crbug-912520 | MojoJS POC | UAF in MediaStream | M-72 | Mark Brand | p0-1730 |
| crbug-888926 | Full Chain Exploit | UaF in Appcache (Hack2Win 2018) | CVE-2018-17462, M-69, M-70 | Ned Williamson, Niklas Baumstark | POC2018, 35C3, Github, OffensiveCon2019 |
| crbug-888366 | HTML POC | UAF in WebAudio | M-70, M-71, reward-5500 | cdsrc2016 | - |
| crbug-877182 | Patch POC | OOB Read/Write in Mojo DataPipe deserialization | CVE-2018-16068, M-68 | Mark Brand | - |
| crbug-842990 | Patch POC | UAF in IndexedDB Connection | CVE-2018-6127, M-66, reward-10000 | Looben Yang | - |
| crbug-835887 | Full Chain Exploit | Logic Bug in "filesystem:" Scheme URL, PDF Plugin, Extension, WebUI | M-67, M-68, reward-40633.7 | Sergey Glazunov | crbug-836362, crbug-836859, crbug-836858, crbug-840857 |
| crbug-831963 | Patch POC | UAF in In-memory Cache 2 | CVE-2018-6118, M-66, M-67, M-68, reward-10500 | Ned Williamson | - |
| crbug-827492 | Patch POC | UAF in In-memory Cache | CVE-2018-6086, M-66, reward-10500 | Ned Williamson | - |
| crbug-826626 | Patch POC | UAF in Blockfile Media Cache | CVE-2018-6085, M-66, reward-10000 | Ned Williamson | - |
| crbug-794969 | Patch POC | OOB Read in deserializing Mojo "Event" messages | M-65 | Gal Beniamini | - |
| crbug-791003 | Patch POC | Logic Bug in "catalog" service | CVE-2018-6055, M-65 | Gal Beniamini | - |
| crbug-778505 | Patch POC | OOB Write in QUIC | CVE-2017-15407, M-65, reward-10500 | Ned Williamson | - |
| crbug-777728 | Patch POC | Stack Overflow in QUIC | CVE-2017-15398, M-76, reward-10500 | Ned Williamson | - |
| crbug-728887 | Patch POC | UAF in IndexedDB OpenCursor | CVE-2017-5091, M-60, reward-10000 | Ned Williamson | - |
| crbug-725032 | Patch POC | UAF in IndexedDB Transactions | CVE-2017-5087, M-58, M-60, M-61, reward-10500 | Ned Williamson | - |
| crbug-698622 | HTML POC | UAF in Printing | CVE-2017-5055, M-57, M-58, reward-9337 | Wadih Matar | - |
| crbug-664551 | Full Chain Exploit | Logic Bug in Android Play Store (PWNFest 2016) | M-55 | Guang Gong | Github |
| crbug-659489 | Full Chain WriteUp | Logic Bug in Android "content:" Scheme URL, File Download (Mobile Pwn2Own 2016) | M-54 | Robert Miller, Georgi Geshev | crbug-659492, WriteUp |
| crbug-659474 | Full Chain WriteUp | Logic Bug in Android "intent:" Scheme URL, IPC (Mobile Pwn2Own 2016) | M-54 | Qidan He, Gengming Liu | crbug-659477, WriteUp, CSW2017 |
| crbug-610600 | Frida Exploit | Logic Bug in PPAPI/Flash Broker | CVE-2016-1706, M-52, reward-15000 | Pinkie Pie | - |
| crbug-595834 | Full Chain Exploit | Logic Bug in GPU, WebUI, SmartScreen (Pwn2Own 2016) | - | JungHoon Lee | crbug-595844, crbug-596862, WriteUp |
| crbug-590284 | Patch POC | UAF in RenderWidgetHostImpl | CVE-2016-1647, M-49, M-50, reward-10500 | gzobqq | - |
| crbug-564501 | Patch POC | UAF in MidiHost | M-48 | Oliver Chang | - |
| crbug-558589 | Webserver POC | UAF in AppCacheUpdateJob | CVE-2015-6765, M-47, M-48, reward-10000 | gzobqq | - |
| crbug-554946 | Full Chain WriteUp | Logic Bug in Android Play Store (Mobile Pwn2Own 2015) | CVE-2015-6764, M-47, reward-7500 | Guang Gong | crbug-554518, Github |
| crbug-554908 | Patch, Webserver POC | UAF in AppCacheDispatcherHost | CVE-2015-6767, M-47, M-48, reward-10000 | gzobqq | - |
| crbug-551044 | Patch, Webserver POC | Memory Corruption in AppCacheUpdateJob | CVE-2015-6766, M-47, M-48, reward-11337 | gzobqq | - |
| crbug-484270 | Webserver POC | Heap Overflow in CertificateResourceHandler | M-43 | Mark Brand | - |
| crbug-416449 | Full Chain Exploit | OOB Write in P2PHostMsg_Send IPC | CVE-2014-3188, M-38, reward-27634 | Jüri Aedla | crbug-416528, WriteUp |
| crbug-386988 | Full Chain Exploit | Logic Bugs in Extension and WebUI | reward-30000 | JungHoon Lee | crbug-50275, crbug-367567, crbug-387033, crbug-387037 |
| crbug-352369 | Full Chain Exploit | Memory Corruption in Clipboard IPC (Pwn2Own 2014) | M-33 | VUPEN | crbug-352395 |
| crbug-319117 | Full Chain Exploit | Memory Corruption in Clipboard IPC (Mobile Pwn2Own 2013) | CVE-2013-6632, M-31, M-32 | Pinkie Pie | crbug-319125, WriteUp |
- It only includes Chrome Browser own Bugs like IPC(Mojo), WebAPI, WebUI, Extension.. (Not included using Kernel Bugs like MWRLab's Pwn2own 2013 Exploit, lokihardt's Pwn2Own 2015 Exploit)
- It only includes Security Bugs that published POC/Exploit from crbug.com.
- It was searched by hands, so there may be something missing.
| Issue Number | Patch Version | Summary | Reporter |
|---|---|---|---|
| crbug-1019226 | 78.0.3904.87 | [$TBD] High CVE-2019-13720: Use-after-free in audio (Not Sure SBX) | Anton Ivanov, Alexey Kulaev |
| crbug-1001503 | 78.0.3904.70 | [$20000] High CVE-2019-13699: Use-after-free in media | Man Yue Mo |
| crbug-1005753 | 77.0.3865.120 | [$20500] High CVE-2019-13693: Use-after-free in IndexedDB | Guang Gong |
| crbug-1004730 | 77.0.3865.120 | [$15000] High CVE-2019-13695: Use-after-free in audio | Man Yue Mo |
| crbug-1000934 | 77.0.3865.90 | [$TBD] Critical CVE-2019-13685: Use-after-free in UI | Khalil Zhani |
| crbug-995964 | 77.0.3865.90 | [$20000] High CVE-2019-13688: Use-after-free in media | Man Yue Mo |
| crbug-998548 | 77.0.3865.90 | [$20000] High CVE-2019-13688: Use-after-free in media | Man Yue Mo |
| crbug-1000002 | 77.0.3865.90 | [$TBD] High CVE-2019-13686: Use-after-free in offline pages | Brendon Tiszka |
| crbug-999311 | 77.0.3865.75 | [$30000] Critical CVE-2019-5870: Use-after-free in media | Guang Gong |
| crbug-981492 | 77.0.3865.75 | [$3000] High CVE-2019-5872: Use-after-free in Mojo | Zhe Jin,Luyao Liu |
| crbug-989797 | 77.0.3865.75 | [$3000] High CVE-2019-5874: External URIs may trigger other browsers | James Lee |
| crbug-997190 | 77.0.3865.75 | [$20000] High CVE-2019-5876: Use-after-free in media | Man Yue Mo |
| crbug-959438 | 76.0.3809.87 | [$TBD] High CVE-2019-5859: Some URIs can load alternative browsers | James Lee |
- It only includes Permission Denied Issues posted on Chrome Releases Blog (Latest 3 years).
- It was searched by hands, so there may be something missing, too.
- Blue Forest Security (2019) - Escaping the Chrome Sandbox via an IndexedDB Race Condition
- Tencent Xuanwu Lab (Blackhat Asia 2019) - Attacking Browser Sandbox: Live Persistently and Prosperously
- WCTF 2019 - Mojojojo
- Google CTF 2019 - monochromatic
- Google CTF 2018 - pwn-mojo
- 360 Alpha Team (CanSecWest 2018) - Attacks and analysis of the Samsung S8 from Mobile PWN2OWN
- KEEN Team (DEFCON 24) - Escaping The Sandbox By Not Breaking It
- X41 - Browser Security White Paper
- James Forshaw (Troopers 2016) - The Joy of Sandbox Mitigations
- James Forshaw (Nullcon 2015) - The Windows Sandbox Paradox
- Guang Gong (BlackHat USA 2015) - Fuzzing Android System Services by Binder Call to Escalate Privilege
- A Tale of Two Pwnies (Part 1)
- A Tale Of Two Pwnies (Part 2)