SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Google Chrome Vendors:   Google
Google Chrome Stack Overflow in Title Tag When Saving Files Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1020823
SecurityTracker URL:  http://securitytracker.com/id/1020823
CVE Reference:   CVE-2008-6994   (Links to External Site)
Updated:  Aug 20 2009
Original Entry Date:  Sep 5 2008
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.2.149.27; possibly other versions
Description:   A vulnerability was reported in Google Chrome. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a web page with a specially crafted title that, when saved by the target user with the 'Save As' function, will trigger a stack overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Some demonstration exploit code for Windows XP SP2 is available at:

http://security.bkis.vn/Proof-Of-Concept/PoC-XPSP2.html

Some demonstration exploit code is available at:

http://security.bkis.vn/Proof-Of-Concept/PoC-Crash.html

Le Duc Anh of SVRT - Bkis reported this vulnerability.

Impact:   A remote user can create HTML that, when saved by the target user, will execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.google.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Google Chrome 0.2.149.27 'SaveAs' Function Buffer

--===============1721108035==
Content-Type: multipart/alternative; boundary="_0905-2012-49-PART-BREAK"

--_0905-2012-49-PART-BREAK
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

We (SVRT-Bkis) have just discovered vulnerability in Google Chrome 
0.2.149.27. This is a Critical Buffer Overflow Vulnerability permiting 
hacker to perform a remote attack and take complete control of the affected 
system.

We have submitted this Vulnerability to Google. They confirmed and assign a 
verifier for build 0.2.149.28.

Proof of Concept:
We tested Google Chrome 0.2.149.27 on Windows XP SP2 (Open Calculator)
http://security.bkis.vn/Proof-Of-Concept/PoC-XPSP2.html
With others Windows not XP SP 2:
http://security.bkis.vn/Proof-Of-Concept/PoC-Crash.html
 
Details: 
- Type of Issue : Buffer Overflow. 

- Affected Software : Google Chrome 0.2.149.27.
    
- Exploitation Environment : Google Chrome  on Windows XP SP2.

- Impact: Remote code execution.

- Rating : Critical.

- Description : 
The vulnerability is caused due to a boundary error when handling the 
“SaveAs” function. On saving a malicious page with an overly long title 
(<title> tag in HTML), the program causes a stack-based overflow and makes 
it possible for attackers to execute arbitrary code on users’ systems.

- How an attacker could exploit the issue : 
To exploit the Vulnerability, a hacker might construct a specially crafted 
Web page, which contains malicious code. He then tricks users into visiting 
his Website and convinces them to save this Page. Right after that, the code 
would be executed, giving him the privilege to make use of the affected 
system.

- Discoverer : Le Duc Anh - SVRT - Bkis

- About SVRT : 
SVRT, which is short for Security Vulnerability Research Team, is one of 
Bkis researching groups. SVRT specializes in the detection, alert and 
announcement of security vulnerabilities in software, operating systems, 
network protocols and embedded systems… 

- About Bkis :
Bkis  (Bach Khoa Internetwork Security) is Vietnamese leading Center in 
researching, deploying network security software and solutions. 

- Website : http://security.bkis.vn

- Mail : svrt[at]bkav.com.vn

--_0905-2012-49-PART-BREAK
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit

<HTML>
<head>  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> 
<style title="table borders">.htmtableborders, .htmtableborders td, 
.htmtableborders th {border : 1px dashed lightgrey ! important;}  </style> 
<style type="text/css">html, body { border: 0px; }  span.macro, span.macro 
ul, span.macro div, span.macro p {background : #CCCCCC;} </style> <style 
type="text/css"> p{margin-bottom: 0.15em;margin-top: 
0.15em;}body{font-family:tahoma;font-size:10pt;}; </style></head><body 
style=""> <font style="font-family: tahoma; font-size: 10pt;"><div style="">
<br style="">&nbsp;We (SVRT-Bkis) have just discovered vulnerability in 
Google Chrome 0.2.149.27. This is a Critical Buffer Overflow Vulnerability 
permiting hacker to perform a remote attack and take complete control of the 
affected system.<br style=""><br style="">We have submitted this 
Vulnerability to Google. They confirmed and assign a verifier for build 
0.2.149.28.<br style=""><br style="">Proof of Concept:<br style="">We tested 
Google Chrome 0.2.149.27 on Windows XP SP2 (Open Calculator)<br style="">
http://security.bkis.vn/Proof-Of-Concept/PoC-XPSP2.html<br style="">With 
others Windows not XP SP 2:<br style="">
http://security.bkis.vn/Proof-Of-Concept/PoC-Crash.html<br style="">
&nbsp;<br style="">Details: <br style="">- Type of Issue : Buffer Overflow. 
<br style=""><br style="">- Affected Software : Google Chrome 0.2.149.27.<br 
style="">&nbsp;&nbsp; &nbsp;<br style="">- Exploitation Environment : Google 
Chrome&nbsp; on Windows XP SP2.<br style=""><br style="">- Impact: Remote 
code execution.<br style=""><br style="">- Rating : Critical.<br style="">
<br style="">- Description : <br style="">The vulnerability is caused due to 
a boundary error when handling the “SaveAs” function. On saving a 
malicious page with an overly long title (&lt;title&gt; tag in HTML), the 
program causes a stack-based overflow and makes it possible for attackers to 
execute arbitrary code on users’ systems.<br style=""><br style="">- How 
an attacker could exploit the issue : <br style="">To exploit the 
Vulnerability, a hacker might construct a specially crafted Web page, which 
contains malicious code. He then tricks users into visiting his Website and 
convinces them to save this Page. Right after that, the code would be 
executed, giving him the privilege to make use of the affected system.<br 
style=""><br style="">- Discoverer : Le Duc Anh - SVRT - Bkis<br style="">
<br style="">- About SVRT : <br style="">SVRT, which is short for Security 
Vulnerability Research Team, is one of Bkis researching groups. SVRT 
specializes in the detection, alert and announcement of security 
vulnerabilities in software, operating systems, network protocols and 
embedded systems… <br style=""><br style="">- About Bkis :<br style="">
Bkis&nbsp; (Bach Khoa Internetwork Security) is Vietnamese leading Center in 
researching, deploying network security software and solutions. <br style="">
<br style="">- Website : http://security.bkis.vn<br style=""><br style="">- 
Mail : svrt[at]bkav.com.vn<br style=""><br style=""></div></font> </body>
</HTML>

--_0905-2012-49-PART-BREAK--



--===============1721108035==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1721108035==--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC