My favorites | Sign in
Logo
Project Home
  
Downloads
  
Wiki
  
Issues
    
New issue | Search
for
| Advanced search | Search tips
Issue 1414: Chrome Buffer Overlow Vulnerability - "SaveAs" Function
4 people starred this issue and may be notified of changes. Back to list
Status:  Verified
Owner:  anantha@chromium.org
Closed:  Sep 2008
Cc:  abarth@chromium.org, deanm@chromium.org, secur...@chromium.org
Security
OS-All
Pri-0
Type-Bug
Area-Unknown


Sign in to add a comment
 
Reported by s...@bkav.com.vn, Sep 05, 2008 
SVRT - Bkis have just discovered vulnerability in Google Chrome 0.2.149.27
and would like to inform you with this. Here comes the report:

Details:

- Type of Issue: Buffer Overflow.

- Affected Software: Google Chrome 0.2.149.27.	

- Exploitation Environment: Google Chrome (Language: Vietnamese) on Windows
XP SP2.

- Impact: Remote code execution

- Description: 
The vulnerability is caused due to a boundary error when handling the
“SaveAs” function. On saving a malicious page with an overly long title
(<title> tag in HTML), the program causes a stack-based overflow and makes
it possible for attackers to execute arbitrary code on users’ systems.

- How an attacker could exploit the issue : 
To exploit the Vulnerability, a hacker might construct a specially crafted
Web page, which contains malicious code. He then tricks users into visiting
his Website and convinces them to save this Page. Right after that, the
code would be executed, giving him the privilege to make use of the
affected system.

- Exploitation code: Proof of Concept: Crash (Attached to this document).

- Researcher: AnhLD – SVRT member.

- About SVRT :
Bkis Vietnam is a security research center in Vietnam. SVRT, which is short
for Security Vulnerability Research Team, is one of Bkis researching
groups. SVRT specializes in the detection, alert and announcement of
security vulnerabilities in software, operating systems, network protocols
and embedded systems...

- Contact detail:
Name: Security Vulnerability Research Team.

Bach Khoa Internetwork Security Center (Bkis)
Hanoi University of Technology (Vietnam)

Office: 5th Floor, Hitech building - 1A Dai Co Viet, Hanoi
Email: svrt@bkav.com.vn 
WebBlog: security.bkis.vn
Website: www.bkav.com.vn
Chrome-Poc.html
3.5 KB Download
Comment 1 by abarth@chromium.org, Sep 05, 2008 
Thank you for the report.  This is likely another way to tickle the same issue we're
tracking internally at <http://b/issue?id=1361369  We'll keep you advised of our
progress on this issue.
Cc: aba...@chromium.org de...@chromium.org
Comment 2 by abarth@chromium.org, Sep 05, 2008 
Patch in hand.  Building release candidate.
Status: Started
Owner: de...@chromium.org
Comment 3 by mal.chromium, Sep 05, 2008 
Thank you for disclosing this responsibly. We have reproduced the issues and believe 
we have developed a fix.

revision 1766 (http://src.chromium.org/viewvc/chrome?view=rev&revision=1766) has been 
applied to our release branch to address this issue.

QA: Please use the test case provided in this issue (open the file and then right-
click > Save As...) to verify the fix.

I'll continue to update this issue with expected timelines for when we have verified 
the fix and when we start updating users.

Anantha: we need to assign a verifier for build 149.28.
Status: FixUnreleased
Owner: anan...@chromium.org
Comment 4 by lcamtuf, Sep 05, 2008 
This just got posted publicly on a mailing list:

Date: Fri, 05 Sep 2008 20:12:49 +0700
From: SVRT <svrt@bkav.com.vn>
To: full-disclosure@lists.grok.org.uk
Subject: Google Chrome 0.2.149.27 'SaveAs' Function Buffer Overflow Vulnerability
Comment 5 by niranjan@chromium.org, Sep 05, 2008 
Verified that I get a 'This file name is invalid' error when I try to save the HTML 
file through the 'Save As' option.
Comment 6 by mal.chromium, Sep 08, 2008 
(No comment was entered for this change.)
Status: Verified
Labels: -private
Sign in to add a comment