My favorites | Sign in
Google
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
New issue | Search
for
| Advanced search | Search tips
Issue 81: SRPC Double Free via __NaClSrpcArgsGet
2 people starred this issue and may be notified of changes. Back to list
Status:  Accepted
Owner:  s...@google.com
Security-Contest
Type-Defect


Sign in to add a comment
 
Reported by alex00882007, May 05, 2009 
Team Name: Alex Rad 
email: defend.the.world@gmail.com

VERSION:       0.1 (10916299) 

Vulnerability:

A double free vulnerability exists in the SPRC nacl to browser communications interface.
The bug is triggered when handling malformed arguments. A double free can lead to a loss
of state in the underlying heap allocator. An attack may weaponize it for arbitrary memory
corruption leading to remote code execution. 

To launch the vulnerability a malicious module must be loaded by a target user.
The error is triggered by sending an invalid SRPC response.

Tests were done on Linux using Firefox 3.0.10
srpc_args_df.tar.gz
91.1 KB   Download
Comment 1 by nativeclient.admin, May 05, 2009 
(No comment was entered for this change.)
Owner: s...@google.com
Labels: Type-Defect
Comment 2 by nativeclient.admin, May 07, 2009 
Verified as an issue.
Status: Accepted
Comment 3 by bradnel...@google.com, Dec 03, 2009 
(No comment was entered for this change.)
Owner: s...@google.com
Sign in to add a comment