Re: Google Chrome Browser Flaw

[Rishi Narang <psy.echo () gmail com>]

Hi,

"Time" can definitely plays a major role.  There was a collision that occurred due to the fact that I took time to find 
the real break point in the code, search for a template and to publish at EvilFingers site before sending it to Google 
and other bugtraqs. 

Even though I had the vulnerability 4 hrs well before the real publication of the bug and had the exploit along with 
the some crash details like "int 3" Kernel Exception/Trap @ 0x01002FF3, different attack cases, exceptions of http/ftp 
and further debug logs; there was this bug published (though without the details of possible cases, exceptions and 
mouse hover techniques) couple of hours before I released it out at EvilFingers.

So, I would like to convey due credit to Mr. JanDeMooij as well for his posting the bug on 
http://code.google.com/p/chromium/issues/detail?id=122, and thanks to Mr. Brennan for contacting me about the same.


--
Thanks & Regards,
Rishi Narang | Security Researcher
Founder, GREYHAT Insight
Key: 0x8D67A3A3 (www.greyhat.in/key.asc) 
www.greyhat.in 

... eschew obfuscation, espouse elucidation.

Wednesday, September 3, 2008, 6:16:01 PM, you wrote:


> On Wed, Sep 3, 2008 at 11:04 AM, Rishi Narang <psy.echo () gmail com> wrote:
> > Hi,

> > Here is a flaw in just released Google Chrome Browser (Beta). This not a really a "Jail-Break" remote execution type 
> > of serious vulnerability (till now, it doesn't seem one) but surely crashes the application (all tabs) and needs a 
> > browser restart. But, as a whole the browser surely is very neat and fast!

> > Google with its own simplicity and creativity, has taken integrated features of top browsers - Firefox, IE, Safari 
> > etc. Hope, it didn't catch their bugs too, as the old Carpet Bombing Attack and other speculations going in wild!

> > ---------------------------------------------------
> > Software:
> > Google Chrome Browser 0.2.149.27

> > Tested:
> > Windows XP Professional SP3

> > Result:
> > Google Chrome Crashes with All Tabs

> > Problem:
> > An issue exists in how chrome behaves with undefined-handlers in chrome.dll version 0.2.149.27. A crash can result 
> > without user interaction. When a user is made to visit a malicious link, which has an undefined handler followed by 
> > a 'special' character, the chrome crashes with a Google Chrome message window "Whoa! Google Chrome has crashed. 
> > Restart now?". It crashes on "int 3" at 0x01002FF3 as an exception/trap (kernel), followed by "POP EBP" instruction 
> > when pointed out by the EIP register at 0x01002FF4.

> > Proof of Concept:
> > http://evilfingers.com/advisory/google_chrome_poc.php

> > Credit:
> > Rishi Narang
> > www.greyhat.in
> > www.evilfingers.com
> > ---------------------------------------------------

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave