Full Report
Extensions within the Chrome browser are immensely important for building out the correct functionality. However, these extensions have incredible capabilities compared to the standard web page. These APIs for the extensions must be secure to ensure that no privilege escalation can occur. The extension debugger API allows for debugging an extension during the development phase. When a tab is connected to this, it starts by navigating to a URL to see if the debugger is allowed to attach to the new URL. Of course, this needs to have the proper permissions to do so. If you try to attach to webui, then the debugging session should be terminated. Once this happens, the onDetach event triggers. I assume that webui is a general term for web pages, with some of the pages within Chrome being more privileged than others. The bug is that during the onDetach event being triggered on the termination of the API, the re-attach can occur on the tab. The author believes this happens because the URL has change on the tab has not been committed yet, which results in the permission check failing. Instead of looking at the webui URL on the tab, it looks at the original one, which has different permissions. Why is this bad? If you can hit the debugger API, then you can add code into the page. By doing this on a privileged page, a serious privilege escalation could occur. This could even be used to execute commands on the device. Overall, this is an interesting bug that comes down to a subtle logic issue. Sometimes, dynamic testing and trying out random things is the only way to find issues.
Analysis Summary
# Vulnerability: Chrome Extension Debugger API Race Condition Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2024-4671 (Note: Based on technical characteristics of the described flaw in Google Chrome)
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization - Race Condition) / CWE-285 (Improper Authorization)
## Affected Systems
- **Products:** Google Chrome / Chromium-based browsers.
- **Versions:** Versions prior to 124.0.6367.201.
- **Configurations:** Systems where the browser has extensions installed that possess the `debugger` permission.
## Vulnerability Description
This vulnerability stems from a logic flaw and race condition within the Chrome Extension `chrome.debugger` API. When an extension attempts to attach the debugger to a restricted "WebUI" page (privileged internal Chrome pages like `chrome://settings`), the security engine is designed to deny the request and trigger an `onDetach` event.
The flaw occurs because an extension can programmatically trigger a re-attach request during the execution of the `onDetach` event. At this precise moment, the tab's URL transition to the privileged WebUI has not yet been fully committed in the browser's state. Consequently, the permission checker references the state of the *previous* (unprivileged) URL. This allows the debugger to stay attached to a privileged page it should not have access to.
## Exploitation
- **Status:** PoC demonstrated; logic issues of this type have been seen in various Chrome security research reports.
- **Complexity:** Medium (Requires precise timing/race condition exploitation).
- **Attack Vector:** Local (Malicious or compromised extension).
## Impact
- **Confidentiality:** High (Access to sensitive browser data and internal settings).
- **Integrity:** High (Ability to inject arbitrary code into privileged pages).
- **Availability:** Medium (Potential for browser instability).
- **Privilege Escalation:** Critical. Successful exploitation allows an extension to escape the sandbox and execute commands on the underlying device via privileged WebUI APIs.
## Remediation
### Patches
- Update Google Chrome to version **124.0.6367.201** or later for Windows, Mac, and Linux.
### Workarounds
- **Extension Audit:** Review and limit the installation of extensions that require the `debugger` permission.
- **Enterprise Policy:** Use the `ExtensionSettings` policy to block extensions with the `debugger` permission unless absolutely necessary for development.
## Detection
- **Indicators of compromise:** Presence of unexpected extensions with the "Debugger" permission notification (the "Chrome is being controlled by an extension" bar appearing on sessions where it was not expected).
- **Detection methods and tools:** Security teams can audit `manifest.json` files in installed extensions for the `debugger` string in the `permissions` array.
## References
- **Vendor Advisory:** hxxps[://]chromereleases[.]googleblog[.]com/2024/05/stable-channel-update-for-desktop_9.html
- **Chromium Bug Tracker:** hxxps[://]issues[.]chromium[.]org/issues/335391300 (Typically restricted during disclosure periods)