Google Chrome DevTools Sandbox Escape Vulnerability

A vulnerability in Google Chrome's DevTools component, prior to version 136.0.7103.59, allowed remote attackers to potentially escape the browser's sandbox by using a specially crafted HTML page. This was achieved through a cross-site scripting (XSS) attack that exploited a missing validation for 'javascript:' URLs in WebSocket connections, particularly via the 'devtools://devtools/bundled/integration_test_runner.html' page. The vulnerability could be triggered by dragging and dropping an icon into a DevTools panel, or by using a Chrome extension with the 'devtools_page' key in its manifest.

Impact

Exploitation of this vulnerability led to a universal cross-site scripting (XSS) issue, allowing for a sandbox escape by opening downloaded files, and accessing most Chrome DevTools Protocol (CDP) commands. The initial XSS could be used to read local files, leak sensitive information such as NTLM hashes and browser account details, and bypass user interaction requirements for certain actions.

Reproduction

The vulnerability can be reproduced by connecting to a malicious WebSocket server that sends a 'javascript:' URL payload. This can be done by manually dragging and dropping a DevTools URL into a Chrome tab, or by using a Chrome extension that automatically opens a DevTools page. Once the payload is executed, the attacker can perform various actions, such as reading local files or bypassing Chrome's sandbox restrictions.

Remediation

Users can update to Google Chrome version 136.0.7103.59 or later, where this vulnerability has been fixed.