Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Google Chrome Stack Overflow in Title Tag When Saving Files Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1020823
|
|
SecurityTracker URL: http://securitytracker.com/id?1020823
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 5 2008
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 0.2.149.27; possibly other versions
|
Description: A vulnerability was reported in Google Chrome. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a web page with a specially crafted title that, when saved by the target user with the 'Save As' function,
will trigger a stack overflow and execute arbitrary code on the target system. The code will run with the privileges of the target
user.
Some demonstration exploit code for Windows XP SP2 is available at:
http://security.bkis.vn/Proof-Of-Concept/PoC-XPSP2.html
Some
demonstration exploit code is available at:
http://security.bkis.vn/Proof-Of-Concept/PoC-Crash.html
Le Duc Anh of SVRT - Bkis
reported this vulnerability.
|
Impact: A remote user can create HTML that, when saved by the target user, will execute arbitrary code on the target user's system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.google.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: "SVRT" <svrt@bkav.com.vn>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 05 Sep 2008 20:12:49 +0700
From: "SVRT" <svrt@bkav.com.vn>
Subject: [Full-disclosure] Google Chrome 0.2.149.27 'SaveAs' Function Buffer
|
--===============1721108035==
Content-Type: multipart/alternative; boundary="_0905-2012-49-PART-BREAK"
--_0905-2012-49-PART-BREAK
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
We (SVRT-Bkis) have just discovered vulnerability in Google Chrome
0.2.149.27. This is a Critical Buffer Overflow Vulnerability permiting
hacker to perform a remote attack and take complete control of the affected
system.
We have submitted this Vulnerability to Google. They confirmed and assign a
verifier for build 0.2.149.28.
Proof of Concept:
We tested Google Chrome 0.2.149.27 on Windows XP SP2 (Open Calculator)
http://security.bkis.vn/Proof-Of-Concept/PoC-XPSP2.html
With others Windows not XP SP 2:
http://security.bkis.vn/Proof-Of-Concept/PoC-Crash.html
Details:
- Type of Issue : Buffer Overflow.
- Affected Software : Google Chrome 0.2.149.27.
- Exploitation Environment : Google Chrome on Windows XP SP2.
- Impact: Remote code execution.
- Rating : Critical.
- Description :
The vulnerability is caused due to a boundary error when handling the
“SaveAs” function. On saving a malicious page with an overly long title
(<title> tag in HTML), the program causes a stack-based overflow and makes
it possible for attackers to execute arbitrary code on users’ systems.
- How an attacker could exploit the issue :
To exploit the Vulnerability, a hacker might construct a specially crafted
Web page, which contains malicious code. He then tricks users into visiting
his Website and convinces them to save this Page. Right after that, the code
would be executed, giving him the privilege to make use of the affected
system.
- Discoverer : Le Duc Anh - SVRT - Bkis
- About SVRT :
SVRT, which is short for Security Vulnerability Research Team, is one of
Bkis researching groups. SVRT specializes in the detection, alert and
announcement of security vulnerabilities in software, operating systems,
network protocols and embedded systems…
- About Bkis :
Bkis (Bach Khoa Internetwork Security) is Vietnamese leading Center in
researching, deploying network security software and solutions.
- Website : http://security.bkis.vn
- Mail : svrt[at]bkav.com.vn
--_0905-2012-49-PART-BREAK
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit
<HTML>
<head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style title="table borders">.htmtableborders, .htmtableborders td,
.htmtableborders th {border : 1px dashed lightgrey ! important;} </style>
<style type="text/css">html, body { border: 0px; } span.macro, span.macro
ul, span.macro div, span.macro p {background : #CCCCCC;} </style> <style
type="text/css"> p{margin-bottom: 0.15em;margin-top:
0.15em;}body{font-family:tahoma;font-size:10pt;}; </style></head><body
style=""> <font style="font-family: tahoma; font-size: 10pt;"><div st
yle="">
<br style=""> We (SVRT-Bkis) have just discovered vulnerability in
Google Chrome 0.2.149.27. This is a Critical Buffer Overflow Vulnerability
permiting hacker to perform a remote attack and take complete control of the
affected system.<br style=""><br style="">We have submitted this
Vulnerability to Google. They confirmed and assign a verifier for build
0.2.149.28.<br style=""><br style="">Proof of Concept:<br style="">
We tested
Google Chrome 0.2.149.27 on Windows XP SP2 (Open Calculator)<br style="">
http://security.bkis.vn/Proof-Of-Concept/PoC-XPSP2.html<br style="">With
others Windows not XP SP 2:<br style="">
http://security.bkis.vn/Proof-Of-Concept/PoC-Crash.html<br style="">
<br style="">Details: <br style="">- Type of Issue : Buffer
Overflow.
<br style=""><br style="">- Affected Software : Google Chrome 0.2.149
.27.<br
style=""> <br style="">- Exploitation Envi
ronment : Google
Chrome on Windows XP SP2.<br style=""><br style="">- Impact
: Remote
code execution.<br style=""><br style="">- Rating : Critical.<br s
tyle="">
<br style="">- Description : <br style="">The vulnerability is caused
due to
a boundary error when handling the “SaveAs” function. On saving a
malicious page with an overly long title (<title> tag in HTML), the
program causes a stack-based overflow and makes it possible for attackers to
execute arbitrary code on users’ systems.<br style=""><br style="">
- How
an attacker could exploit the issue : <br style="">To exploit the
Vulnerability, a hacker might construct a specially crafted Web page, which
contains malicious code. He then tricks users into visiting his Website and
convinces them to save this Page. Right after that, the code would be
executed, giving him the privilege to make use of the affected system.<br
style=""><br style="">- Discoverer : Le Duc Anh - SVRT - Bkis<br styl
e="">
<br style="">- About SVRT : <br style="">SVRT, which is short for Sec
urity
Vulnerability Research Team, is one of Bkis researching groups. SVRT
specializes in the detection, alert and announcement of security
vulnerabilities in software, operating systems, network protocols and
embedded systems… <br style=""><br style="">- About Bkis :<br st
yle="">
Bkis (Bach Khoa Internetwork Security) is Vietnamese leading Center in
researching, deploying network security software and solutions. <br style="">
<br style="">- Website : http://security.bkis.vn<br style=""><br s
tyle="">-
Mail : svrt[at]bkav.com.vn<br style=""><br style=""></div></
font> </body>
</HTML>
--_0905-2012-49-PART-BREAK--
--===============1721108035==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1721108035==--
|
|
Go to the Top of This SecurityTracker Archive Page
|
