Man Yue Mo

When it comes to security research, the path from bug to vulnerability to exploit can be a long one. Security researchers often end their research journey at the “Proof of…

In this last post of the series, I’ll exploit a use-after-free in the Chrome renderer (CVE-2020-15972), a bug that I reported in September 2020 but turned out to be a duplicate, to gain remote code execution in the sandboxed renderer process in Chrome.

In this series of posts, I’ll go through the exploit of three security bugs that I reported, which, when used together, can achieve remote kernel code execution in Qualcomm’s devices by visiting a malicious website in a beta version of Chrome. In this first post, I’ll exploit a use-after-free in Qualcomm’s kgsl driver (CVE-2020-11239), a bug that I reported in July 2020 and that was fixed in January 2021, to gain arbitrary kernel code execution from the application domain.

In this second post of the series, I’ll exploit a use-after-free in the Payment component of Chrome (1125614/GHSL-2020-165), a bug that I reported in September 2020 that only affected version 86 of Chrome, which was in beta. I’ll use it to escape the Chrome sandbox to gain privilege of a third party App on Android from a compromised renderer.

In this post I’ll give details about how to exploit CVE-2020-6449, a use-after-free (UAF) in the WebAudio module of Chrome that I discovered in March 2020. I’ll give an outline of the general strategy to exploit this type of UAF to achieve a sandboxed RCE in Chrome by a single click (and perhaps a 2 minute wait) on a malicious website.

In this post I’ll show how garbage collections (GC) in Chrome may be triggered with small memory allocations in unexpected places, which was then used to cause a use-after-free bug.