Chrome, as one of the most commonly used browsers, presents an attractive target for security researchers. Playing a major role in the Android ecosystem, Chrome browser exploitation is an essential part of traditional 1-click chains. Given the rising complexity and the number of exploitation mitigations, this training attempts to address the entry barrier into browser exploitation for novice researchers.
This training focuses on the Chrome renderer exploitation (RCEs) - the first step in gaining arbitrary code execution on the device. The focus is primarily on v8 vulnerabilities and common exploitation techniques covering both 32-bit and 64-bit Chrome versions on Android 10/11. It is largely self-contained and provides a generous amount of background information required to bootstrap your own Chrome research.
Similar to our other trainings, the course is structured as several theory modules (providing the necessary background material), followed by hands-on lab exercises demonstrating learned concepts in practice. The main target for this training is 64-bit Chrome. Where applicable, any differences with 32-bit will be briefly discussed.
setenforce 0) when demonstrating code execution in the renderer process, To demonstrate code execution we might use a reverse shell - this requires SELinux/SEAndroid to be disabled. Samsung devices, on the other hand, do not allow SELiux/SEAndroid to be disabled even if the device is rooted.
selinux_enforcing(depending on the device/kernel version) is RKP-protected (read-only). If you have a rooted Samsung device you can opt for a simpler payload to execute from the
isolated_appcontext that doesn't require SELinux/SEAndroid to be disabled. Other than that, any rooted Android device capable of running a 64-bit Chrome version should be suitable for this training.
There are generally two public trainigs sessions per year (first half of the year) in Europe or Asia. You can sign up below to receive public training schedule notifications.
For a private training contact us directly.