2008-09-05:

Remote Buffer Overflow in Google Chrome

chrome:security:buffer overflow:windows
A short info. Someone (Le Duc Anh - SVRT - Bkis) posted on the FD list about a Remote Buffer Overflow in Chrome, needing a little interaction from the user - the user needs to click 'Save as...' (the buffer overflow is related to the handling of the <title> while saving files). The researcher has provided two PoC exploits, one is said to run a calculator (on XP SP2, but it didn't work for me), and the other is just a DoS. It must be noted that that both the renderers and browser processes are crashed, so the vuln is located either in the browser, or is magically transfered from the renderer to the browser.

Concluding, this is the first remote code exec in Chrome (3 days after the release? sth like that), and 3rd published vuln (I'm not counting the unpublished ones ofc).

Update: Looks like Shinnok found another buffer overflow, however it seams it's just a remote DoS (however there still is an option it's something more) requiring some (very little) user interaction (placing mouse pointer above a link).
Stats: 1 remote code exec, 4 vulns total, and counting (keep in mind that it's just a beta, so these stats mean nothing).

Update 2: As You can see in the comments, SVRT-BKIS created additional PoC exploits for the remote buffer overflow vulnerability (I tried them out, they work, at least the last one does ;>). You can find the PoC exploits at Bkis Blog.

Comments:

2008-09-07 08:38:44 = SVRT-BKIS
{
"on XP SP2, but it didn't work for me"

We updated some PoC code for all PC, which instaled Google Chrome 0.2.149.27. You can try one of links for checking this vulnerability.

Thanks!!!
}
2008-09-07 08:39:33 = SVRT-BKIS
{
Sorry, this our website http://security.bkis.vn/?p=119
}
2008-09-07 09:34:00 = Gynvael Coldwind
{
@SVRT-BKIS
Thanks for Your comment ;>
The last PoC did the job at my machine. Good work! ;>
}
2008-09-09 21:25:35 = AlienRancher
{
The issue is in the browser process.
Fixed in the 0.2.149.29 update.



}

Add a comment:

Nick:
URL (optional):
Math captcha: 2 ∗ 3 + 7 =