Google Chrome Privilege Escalation Vulnerability in Extensions

A privilege escalation vulnerability has been identified in the Extensions component of Google Chrome, affecting versions prior to 135.0.7049.52. This vulnerability allows remote attackers to escalate privileges by exploiting a flaw in how the browser handles certain URL parameters in chrome-extension:// URLs. The issue arises from improper validation of input in the Extensions API, which can be manipulated to access non-web-accessible resources or execute commands via the terminal private API, particularly on Chrome OS devices with developer mode enabled.

Impact

Exploitation of this vulnerability could lead to unauthorized access to privileged APIs or resources, allowing for actions that could disrupt normal user operations or manipulate system functions, such as executing commands through the Chrome OS terminal.

Reproduction

The vulnerability can be reproduced by creating a Chrome extension that includes a background script. This script can use the 'chrome.windows.create' API to open a URL that includes the 'chrome-extension://' scheme, targeting a page that is not listed as web-accessible in the extension's manifest. The URL can be crafted to include specific command parameters that, when processed by the extension, trigger the execution of privileged actions, such as accessing the terminal with custom arguments.

Remediation

Users can update to Google Chrome version 135.0.7049.52 or later, where this vulnerability has been fixed.