Google Chrome Fatal Crash

Saturday, September 20, 2008
##########################
Google Chrome Fatal Crash
##########################

Product Version : 0.2.149.30 (2200)and 0.2.149.29
URLs (if applicable) :it´s indiferent.
Other browsers tested:

Safari 3: ok
Firefox 3: ok
IE 7: ok
With other browsers i can only saturate the browser.

What steps will reproduce the problem?
1. open a malformed web
2. close the tab window
3. close again the same tab window

What is the expected result?

the expected result is that Chrome close the tab and we can´t close again
the tab

What happens instead?

Chrome do a Fatal Crash :)

sing of error:

AppName: chrome.exe AppVer: 0.0.0.0 ModName: chrome.dll
13:22 ? Lostmon ¦ ModVer: 0.2.149.30 Offset: 00007b1c



After a several test i can reproduce it all time
the function source file and function involved in crash:

tab_strip_model.cc

http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/tabs/tab_str
ip_model.cc?view=markup&pathrev=83

and the function part in the file affected is in line 561:

TabContents* TabStripModel::GetContentsAt(int index) const {
CHECK(ContainsIndex(index)) <<
"Failed to find: " << index << " in: " << count() << " entries.";
return contents_data_.at(index)->contents;
}

reported here:
http://code.google.com/p/chromium/issues/detail?id=2579

--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Thnx for your time !!!

Maxthon Browser URI about: Dialog XSS

Friday, September 05, 2008
##########################################
Maxthon Browser URI about: Dialog XSS.
Vendor URL: http://www.maxthon.com/
Advisore:http://lostmon.blogspot.com/2008/09/
avant-browser-uri-about-dialog-xss_05.html
Vendor notify:yes exploit available:yes
##########################################

##########################
Vulnerability description
##########################

Maxthon Browser contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate In the URI dialog
'about:' This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser
and the server,leading loss ofintegrity.

#################
Versions
################·

Maxthon Browser 1.6.4 built 20 Vulnerable

Maxthon Browser 2.0.2.2961 Not vulnerable

Aparently in changelog of this version (2.0.2.2961)
The vendor has change some parts of about dialog ,them,
this vulnerability its pached after this version; but
before, prior versions can be vulnerables too.


ChangeLog from Maxthon:
http://www.maxthon.com/changelog.htm



###################
Solution
###################

Update to version 2.0.2.2961 or latest built.



###################
Timeline
##################

Dicovered:16-08-2008
vendor notify:05-09-2008
Vendor response:---
Public Disclosure:----

###################
Proof of Concept.
###################

#############
Test
#############

Put in your Maxthon Broser

about:"><script>alert(1)</script>

or create a link like

<a href='about:<a href='about:"><script>alert(1)</script>'>Maxthon Browser XSS</a>

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Avant Browser URI about: Dialog XSS

##########################################
Avant Browser URI about: Dialog XSS.
Vendor URL: http://www.avantbrowser.com/
Advisory:http://lostmon.blogspot.com/2008/09/
avant-browser-uri-about-dialog-xss.html
Vendor notify:Yes exploit available:yes
##########################################

##########################
Vulnerability description
##########################

Avant Browser contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate In the URI dialog
'about:' This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser
and the server,leading loss of integrity.

#################
Versions
################·

Avant Browser 11.6 built 20 vulnerable.

Avant Browser 11.6 built 7 vulnerable


###################
Solution
###################

No Solution at this time !!!



###################
Timeline
##################

Discovered:16-08-2008
vendor notify:05-09-2008
Vendor response:---
Public Disclosure:----

###################
Proof of Concept.
###################

#############
Test
#############

Put in your Avant Broser

about:"><script>alert(1)</script>

or create a link like

<a href='about:"><script>alert(1)</script>'>Avant Browser XSS</a>

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Multiple browsers Fake files donwload Cross-site scripting

Thursday, August 28, 2008
Multiple browsers are afected by a issue wen try to download
a fake file, this is a simple study of this situation , and
how to take profit. All Browsers have a little system for
download files, wen we click in a link,and this link go to
a downloable file, the browsers show a dialog to open ,save,
or cancel the download.

Create a fake files with the follows extensions ,exe,com,jar,
bat,pdf,zip,rar,jpg,jpeg,gif,avi,wmv,wma,mpeg, and txt for
example...and inside write a javascript code like
"><script>alert(1)</script> and in the pdf file ,
write before script, the head for a pdf file %PDF- save al
files and create a html with links to fake files,for download it.

Wen we click in some of this links, some browsers fails
to determine what file type it´s and wen the file is open,
the script is executed. I have test it in tree posible
scenarios or i test the security browsers in tree Zones,
with multiple browsers , but the most important are in
the table.

Click In the image to enlarge
The first test is local file (LF) this is wen we use protocol
file:// (ej: file://c:/test/index.html) and the script is runing
with the same rights that the users logged.

The second test is in a intranet server (ID) it´s wen we visit
a page inside our intranet, and The script it´s running in the
context of security of intranet zone.

The third test is in a internet server (RD) it´s when we visit
a page outside our intranet, and The script it´s running in the
context of security ofinternet zone .

Affter test all, the most efective or secure browsers are ,
Mozilla Firefox and Flock browser, because they are non
afeccted by this issue in any zone, and the most insecure
is Avant browser and Maxthon Browser, because they are
vulnerables in the tree zones, this two browsers use explorer
modules, but explorer its vulnerable only in two zones.

This issue can use to execute XSS style attacks.

A malicious user can upload files to server or add downloads
to sites with the link to a fake file and wen a user try to
donwload it , if it navigate with a vulnerable browser in the
Zone, the script is executed with the rights of the affected Zone.

a example with moore comprensive table is available here POC

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....


http://usuarios.lycos.es/reyfuss/browsers/
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends