BRW-RENDERER-SBX-ESCAPEPrivilege Escalation

Renderer → Broker Sandbox Escape

Once code-exec in the renderer, abuse a Mojo IPC handler / GPU process IPC / DRM-tier ioctl to break into the browser broker → host context.

§ Where this technique fits

BRW-RENDERER-SBX-ESCAPE is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Renderer compromise → GPU process → vulnerable kernel driver
After renderer RCE, talk to the GPU process via IPC. GPU process sends ioctls to a vulnerable graphics driver — full kernel R/W; ring0 from a web page.
step 2 / 5

§ What commonly comes next

01
GPU Process Driver IOCTL Escape
BRW-GPU-IOCTL · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Renderer compromise → GPU process → vulnerable kernel driver

§ What commonly comes next