|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Matthieu Suiche (msuiche
gmail.com)
Date: Wed Sep 03 2008 - 12:01:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This is not a vulnerability. This is only a bug located inside
chrome.dll because of Microsoft Visual Studio C-Run-Time Libraries.
(As you can see Google is able to make a faster browser than IE8 by
using Microsoft products :-))
The breakpoint is executed by _invalid_parameter() (from
_invalid_parameter_noinfo()) function (Defined in crt/src/invarg.c)
_invalid_parameter() function is called when an invalid argument is
passed into a CRT function.
If you try to read "toto:%" it won't successfuly identify the target,
then it will try to find a correct target as a each well know
different protocol (ftp, https, ...) through memcpy_s() (see
http://msdn.microsoft.com/en-us/library/8ef0s5kh(VS.80).aspx)
function each time. The problem looks to come from
\\autocomplete\\autocomplete.cc file.
This give us interesting interesting information like, Google is using
Visual Studio >= 8.0 and should respect Microsoft security guidelines
while developping Google Chrome. Let's see if these "new" guidelines
will help to provide a safer browser...
On Wed, Sep 3, 2008 at 2:46 PM, Isaac Dawson <isaac.dawsongmail.com> wrote:
> Just remember,
> According the EULA you 'clicked', google now owns any vulnerability you find!
> http://tapthehive.com/discuss/This_Post_Not_Made_In_Chrome_Google_s_EULA_Sucks
> -isaac
>
> On Wed, Sep 3, 2008 at 11:04 AM, Rishi Narang <psy.echogmail.com> wrote:
>> Hi,
>>
>> Here is a flaw in just released Google Chrome Browser (Beta). This not a really a "Jail-Break" remote execution type of serious vulnerability (till now, it doesn't seem one) but surely crashes the application (all tabs) and needs a browser restart. But, as a whole the browser surely is very neat and fast!
>>
>> Google with its own simplicity and creativity, has taken integrated features of top browsers - Firefox, IE, Safari etc. Hope, it didn't catch their bugs too, as the old Carpet Bombing Attack and other speculations going in wild!
>>
>> ---------------------------------------------------
>> Software:
>> Google Chrome Browser 0.2.149.27
>>
>> Tested:
>> Windows XP Professional SP3
>>
>> Result:
>> Google Chrome Crashes with All Tabs
>>
>> Problem:
>> An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by a 'special' character, the chrome crashes with a Google Chrome message window "Whoa! Google Chrome has crashed. Restart now?". It crashes on "int 3" at 0x01002FF3 as an exception/trap (kernel), followed by "POP EBP" instruction when pointed out by the EIP register at 0x01002FF4.
>>
>> Proof of Concept:
>> http://evilfingers.com/advisory/google_chrome_poc.php
>>
>> Credit:
>> Rishi Narang
>> www.greyhat.in
>> www.evilfingers.com
>> ---------------------------------------------------
>>
>> --
>> Thanks & Regards,
>> Rishi Narang | Security Researcher
>> Founder, GREYHAT Insight
>> Key: 0x8D67A3A3 (www.greyhat.in/key.asc)
>> www.greyhat.in
>>
>> ... eschew obfuscation, espouse elucidation.
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydavelists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
--
Matthieu Suiche
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]