Another Way to Talk with Browser: Exploiting Chrome at Network Layer

Networking is a critical and complex task for browsers. It ranges from high level JavaScript APIs, all the way down to managing every socket connection. Services on remote servers can control every single byte sent to the browser during communication, which might lead to memory safety issues when the browser parses the inputs. But apart from these security issues due to data processing, are there other logic bugs from a higher-level view? Can this type of bug be exploited and how?In this presentation, we will show how we discovered several bugs in the Chrome network stack and exploited them to compromise the renderer process and escaped the Chrome sandbox. We will discuss the design problems of resource fetching/caching and one of the transport layer protocols embedded in Chrome. We will illustrate how server-side responses can affect browser behavior, which results in security bugs. Finally, we will detail the exploit strategy of these bugs which we used to win the Chrome category in the Tianfu Cup 2021 Cybersecurity Contest.