[soiax]

It's all renderer only RCE-s, no sandbox escape. So it doesn't work on your browser, only if you disable the sandbox.

[js2]

> I then leverage this to achieve arbitrary memory read and write outside of the v8 heap sandbox, and in turn arbitrary code execution in the Chrome renderer process.

So the code is running in a process that runs as the same user running the browser. That's no longer much of a sandbox and you're now relying on the OS to protect your data, right?

[soiax]

No. There is a reason the author keeps repeating "arbitrary code execution in the Chrome renderer process." Because it's there, not in the browser process.

[armchairhacker]

https://github.com/github/securitylab/tree/main/SecurityExpl...

> If successful, on Ubuntu 22.04, it should call launch xcalc when calc.html is opened in Chrome.

Then how does this work? It doesn't look like the provided build flags disable any sandbox that the distributed build doesn't.

[soiax]

You can disable it runtime, with --no-sandbox command line option.

[bri3d]

No. You're relying on the OS's sandboxing features, which are much, much more granular than just "the same user running the browser."

https://chromium.googlesource.com/chromium/src/+/HEAD/docs/d...