The fugitive in Java: Escaping to Java to escape the Chrome sandbox

The blog post delves into the exploitation of CVE-2021-30528, a use-after-free vulnerability in Chrome that allows a compromised renderer to escape the sandbox and gain privileged access on Android devices. The author, Man Yue Mo, details the complex interaction between C++ and Java code, illustrating how Chrome's object management can lead to vulnerabilities. The post examines the impact of Chrome's use of PartitionAlloc as a memory allocator and describes a method to place controlled data at predictable addresses, bypassing memory space randomization mitigations. The author explores techniques for exploiting the vulnerability, including overcoming challenges related to object replacement and memory allocation, and ultimately achieving arbitrary code execution. The exploit highlights the intricacies of Chrome's architecture, emphasizing the need for continued improvements in sandbox and memory management security.