A POC exploit for CVE-2024-5836 and CVE-2024-6778, allowing for a sandbox escape from a Chrome extension. # CVE-2024-5836 / CVE-2024-6778
This repository contains proof of concept exploits for [CVE-2024-5836](https://nvd.nist.gov/vuln/detail/CVE-2024-5836) and [CVE-2024-6778](https://nvd.nist.gov/vuln/detail/CVE-2024-6778), which are vulnerabilities within the Chromium web browser which allowed for a sandbox escape from a browser extension. To run these, you must be on a version of Chromium older than `126.0.6478.54`.
Write up: https://ading.dev/blog/posts/chrome_sandbox_escape.html
Bug report: https://issues.chromium.org/issues/338248595
Both the `CVE-2024-5386` and `CVE-2024-6778` directories contains a POC Chrome extension that is able to execute arbitrary JS on privileged WebUI pages. `CVE-2024-5386` relies on a race condition and is fairly unreliable, while `CVE-2024-6778` does not.
The `sandbox-escape` directory contains the full exploit chain, using `CVE-2024-6778` to gain code execution in `chrome://policy`, which leads to a sandbox escape by setting the legacy browser support policies.
This repository is licensed under the MIT license.
[4.0K] /data/pocs/b8abbf3e642d82a405c77f1fcd0575513bdba1da
├── [4.0K] CVE-2024-5836
│ ├── [ 73] devtools.html
│ ├── [1.4K] devtools.js
│ ├── [ 191] index.html
│ ├── [ 243] manifest.json
│ └── [ 149] worker.js
├── [4.0K] CVE-2024-6778
│ ├── [ 73] devtools.html
│ ├── [1.3K] devtools.js
│ ├── [ 191] index.html
│ ├── [ 274] manifest.json
│ └── [ 149] worker.js
├── [1.0K] LICENSE.md
├── [1.0K] README.md
└── [4.0K] sandbox-escape
├── [ 73] devtools.html
├── [3.2K] devtools.js
├── [ 191] index.html
├── [ 248] manifest.json
└── [ 149] worker.js
3 directories, 17 files