My favorites | Sign in
Google
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
New issue | Search
for
| Advanced search | Search tips
Issue 45: Integer overflow in npapi may crash the browser
3 people starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  s...@google.com
Closed:  Apr 2009
Security-Contest
Type-Defect


Sign in to add a comment
 
Reported by 0xdead.nacl, Mar 04, 2009 
TEAM 0xdead
Affected OS: Linux, OSX, Windows
Tested Browser: Firefox 3.0.6
Nacl Version nacl_linux_0.1_38_2009_02_11.tgz

An integer overflow is present in the SharedMemory::Invoke() function, in
npapi_plugin/shared_memory.cc. The read code can be invoked with malformed
len and offset, which could trigger the overflow, and crash the browser.
Code execution seems not to be possible.
shm_crash.tar.gz
1.4 KB   Download
Comment 1 by 0xdead.nacl, Mar 04, 2009 
In fact, a similar overflow is present in the write code, which may be exploitable in
this case.
Comment 2 by nativeclient.admin, Mar 04, 2009 
Verified as an issue.
Status: Accepted
Owner: nativeclient.admin
Comment 3 by 0xdead.nacl, Mar 05, 2009 
Eventually, here is a working exploit for Firefox 3.0.7 on Windows, which spawn
calc.exe ! Details are given in the attached file.
shm_exploit.tar.gz
2.3 KB   Download
Comment 4 by nativeclient.admin, Mar 12, 2009 
(No comment was entered for this change.)
Owner: s...@google.com
Labels: Type-Defect
Comment 5 by nativeclient.admin, Apr 10, 2009 
Fix was released in build 57.
Status: Fixed
Sign in to add a comment