top | item 41867770

(no title)

webXL | 1 year ago

Correct me if I’m wrong, but remote code execution has the advantage of being able to access information without the user being involved at all. Sure the user needs to install and trigger the exploit, but whatever code the attacker runs doesn’t require the user to interact with certain urls. If you can launch arbitrary programs, you can probably install all sorts of nasty things that are potentially more lucrative than the victim’s bank or coinbase accounts.

discuss

therein|1 year ago

It breaks the assumption that Chrome is sandboxed and something I do as a user including installing an extension will not have an impact outside of Chrome. A new process outside Chrome to call your own and do whatever you want with.

You're on Windows? Download a binary, create some WMI triggers and get executed at every boot as the same user (requires no elevation for same user, if Admin, you can get NT_AUTHORITY). If you find something to elevate to Administrator you could also patch the beginning of some rarely used syscall and then invoke it and get a thread to yourself in the kernel. These things tend to almost chain themselves sometimes. At least on Windows it feels that way.

Also the user doesn't have to navigate to a specific URL in the final form, just needs to open devtools after installing the extension.