itman 1,538 Posted June 18, 2020 Share Posted June 18, 2020 (edited) Note: This issue was patched in Firefox ver. 76. If your version is prior to this, you need to update ASAP. Quote By James Forshaw, Project Zero In my previous blog post I discussed an issue with the Windows Kernel’s handling of Restricted Tokens which allowed me to escape the Chrome GPU sandbox. Originally I’d planned to use Firefox for the proof-of-concept as Firefox uses the same effective sandbox level as the Chrome GPU process for its content renderers. That means a FF content RCE would give code execution in a sandbox where you could abuse the Windows Kernel Restricted Tokens issue, making it much more serious. However, while researching the sandbox escape I realized that was the least of FF’s worries. The use of the GPU level sandbox for multiple processes introduced a sandbox escape vector, even once the Windows issue was fixed. This blog post is about the specific behavior of the Chromium sandbox and why FF was vulnerable. I’ll also detail the changes I made to the Chromium sandbox to introduce a way of mitigating the issue which was used by Mozilla to fix my report. For reference the P0 issue is 2016 and the FF issue is 1618911. FF define their own sandboxing profiles defined on this page. The content sandbox at the time of writing is defined as Level 5, so I’ll refer to L5 going forward rather than a GPU sandbox. https://googleprojectzero.blogspot.com/2020/06/ff-sandbox-escape-cve-2020-12388.html Edited June 18, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts