Google Chrome Frame null domain XSS

Thursday, November 19, 2009
#####################################
Google Chrome Frame null domain XSS
vendor url:http://www.google.com/chromeframe
vendor changelog:http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html
Advisore:http://lostmon.blogspot.com/
2009/11/google-chrome-frame-null-domain-xss.html
Vendor notify:yes Exploit available:YES
######################################


######################
Description by vendor
######################

Google Chrome Frame is a free plug-in for Internet Explorer.
Some advanced web apps, like Google Wave, use Google Chrome
Frame to provide you with additional features and better performance.

Google Chrome Frame is an early-stage open source
plug-in that seamlessly brings Google Chrome's open
web technologies and speedy JavaScript engine to
Internet Explorer.

################
version Afected
################

4.0.223.9 (Official Build 29618)
WebKit: 532.3
V8: 1.3.16
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.3 (KHTML, like Gecko) Chrome/4.0.223.9 Safari/532.3

Not afected version:

4.0.245.1 (Official Build 31970)
WebKit: 532.5
V8: 1.3.18.6
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.245.1 Safari/532.5

you can find aditional information here:
http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html

#####################
Cross Site scripting
#####################

Create a html document and some to test =>

<iframe src="javascript:alert(1)></iframe>
=> this opens the iframe and execute the alert
( this is correct)

<iframe src="cf:javascript:alert(1)></iframe>
this does not work , not show the alert ( correct)

and here is the flaw =>
<iframe src="cf:view-source:javascript:alert(1)></iframe>

This show & executed the alert it works on local & remote
scenario or via address bar too.
This bypassed cross-origin protections !!!

For google chrome browser test this
at the address bar =>
view-source:javascript:alert(1)

this execute the alert but recently google has made changes
in about:blank page and this issue is only exploitable
via address bar ,not in a iframe or frame or html document
so for that i think that this issue isn´t exploitable in a
remote scenario.

###########
crashes
###########

cf:view-source:about@: crash
cf:about@: => crashing the tab

##########
Solution
############

Google has automatic release a new version
of Chrome Frame 4.0.245.1 (Official Build 31970)
and this version is not afected.

#################€nd#############

Thnx to estrella To be mi ligth
Thnx To icar0 & sha0 from Badchecksum
Thnx To Google security Team

atentamente:
Security Research & Analisys.
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...