Summary

In a brilliant attack chain combining Chrome internals Java behavior and UI tricks researcher mattaustin discovered a remote code execution (RCE) vulnerability in Burp Suite. The vulnerability exploits the way Burp Suite’s embedded headless Chrome scanner enables remote debugging allowing attackers to clickjack their way into executing arbitrary OS commands on the host machine. Yes including launching the Calculator app on a Mac.

Let’s dive into how this was achieved and why it matters.

Root Cause

When Burp launches a Chrome instance for its scanner or crawler it does so in headless mode with the remote debugging port flag enabled. This allows automation and introspection of the browser via a WebSocket interface.

However, Chrome’s remote debugging port is:

• Randomized per instance
• Publicly accessible on localhost
• Not protected by authentication

The researcher combined this with:

• A known JavaScript port scanning trick to discover which port Chrome is listening on