Full Disclosure mailing list archives
Chrome Null Pointer in InspectDataSource::StartDataRequest
From: Heyder Andrade <heyder.andrade () gmail com>
Date: Thu, 14 Mar 2013 00:39:18 -0300
---| overview Vulnerability: Chrome Null Pointer in InspectDataSource::StartDataRequest Date: 03/14/2012 Author: @HeyderAndrade (heyder.andrade[at]gmail[dot]com) Chrome Version: =< 21.0.1180.57 stable Operating System Tested: Win XP SP2, WIN7, Mac OS X 10.6.8 (10K549),Linux Ubuntu 12.04 Architecture: x86 and Amd64 ---| steps will reproduce this crash 1. Open the browser and visit any site that has an SSL certificate signed by a CA not trusted. an ssl error will be showed, DON'T click "proceed anayway". 2. Open a new tab and access chrome://inspect ps. I believe it should work with any ssl error, but i tested only with no valid CA error. ---| original OSX Crash Report Process: Google Chrome [767] Path: /Applications/Google Chrome.app/Contents/MacOS/Google Chrome Identifier: com.google.Chrome Version: 21.0.1180.57 (1180.57) Code Type: X86 (Native) Parent Process: launchd [158] Date/Time: 2012-08-08 22:53:09.442 -0300 OS Version: Mac OS X 10.6.8 (10K549) Report Version: 6 Interval Since Last Report: 19713 sec Crashes Since Last Report: 1 Per-App Interval Since Last Report: 19374 sec Per-App Crashes Since Last Report: 1 Anonymous UUID: B5BA5F00-E166-4923-9393-E0FC63561975 Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 CrBrowserMain Dispatch queue: com.apple.main-thread ---| source code This vulnerability lies in the function call DCHECK (line 118 of the inspect_ui.cc) the render_process_host can be NULL. file: browser/ui/webui/inspect_ui.cc line: 188 function: DCHECK(render_process_host); ---| source code fix if (!render_process_host->HasConnection()) continue; ---| timeline of disclosure - discovery vulnerability - Ago 08, 2012 - code.google.com report - Aug 15, 2012 - Chromium community fix - Oct 11, 2012 - This disclosure - Mar 14, 2013 ---| references https://chromiumcodereview.appspot.com/11066114/ (for some reason this issue was removed) https://code.google.com/p/chromium/issues/detail?id=142979 (no public)
Attachment:
gdb_linux.txt
Description:
Heyder Andrade heyder.andrade () gmail com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Chrome Null Pointer in InspectDataSource::StartDataRequest Heyder Andrade (Mar 14)