Google Chrome Mojo Component Sandbox Escape Vulnerability on Windows

A vulnerability in the Mojo component of Google Chrome for Windows, in versions prior to 136.0.7103.113, allowed a remote attacker to potentially escape the browser's sandbox by exploiting an incorrect handle management issue. The vulnerability could be triggered by a malicious file, leading to unauthorized access or control over certain browser processes.

Impact

Exploitation of this vulnerability allows a renderer process to duplicate and gain control over handles of the browser process, effectively escaping the sandbox restrictions and potentially leading to unauthorized actions or access within the browser environment.

Reproduction

The vulnerability can be reproduced by applying a specific patch that introduces a flaw in the handle management of the Mojo component. After compiling and running this modified version of Chrome, the issue can be triggered by sending a series of crafted messages that exploit the improper handling of process handles, particularly by manipulating transport connections between the renderer and browser processes. This process involves duplicating a privileged handle from the browser to the renderer, which can then be used to execute commands in the context of the browser process, bypassing sandbox protections.

Remediation

Users can update to Google Chrome version 136.0.7103.113 or later, where this vulnerability has been fixed.