New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 112983
Owner:
Closed: Mar 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
link

Issue 119995: Security: NULL pointer crash from EBML header passed over FTP

Reported by gsog2...@gmail.com, Mar 25 2012

Issue description

A customly crafted FTP reply causes a NULL pointer read access violation and crashes chrome.
The FTP session first moves to another port using FTP's Extended Passive Mode (EPSV), then 4 bytes are sent from the server to chrome and it crashes.

Couldn't figure if this bug is exploitable for code execution.

Attached:
omg.py - PoC python server script.
omg.pcap - PCAP packet dump of an example FTP session.
omg.dump - WinDBG crash dump.

Chrome Version: 17.0.963.83 (Stable)
Operating System: Windows 7 Ultimate SP1, 32-bit

Type of crash: Browser

Crash State:
eax=03a4f000 ebx=051afb80 ecx=00000000 edx=00000000 esi=03a186e0 edi=03a186e0
eip=5b3a3832 esp=0366f19c ebp=0366f1b8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
chrome_5aae0000!DelayedLowerToken+0x3498d5:
5b3a3832 8b01            mov     eax,dword ptr [ecx]  ds:0023:00000000=????????
 
omg.pcap
10.5 KB Download
omg.dump
93.4 KB Download
omg.py
1.0 KB View Download

Comment 1 by gsog2...@gmail.com, Mar 26 2012

I forgot to mention, the 4 byte sequence "\x1a\x45\xdf\xa3" is the matroska (MKV) EBML header.

Comment 2 by kenrb@chromium.org, Mar 26 2012

Cc: feature-media-bugs@chromium.org xhw...@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-2 Area-Internals SecImpacts-Stable SecImpacts-Beta OS-All SecSeverity-Low
Status: Untriaged
Summary: Security: NULL pointer crash from EBML header passed over FTP
I can verify this problem on stable and beta, though it looks like it might be fixed already because it doesn't show on canary.

Since it looks like it might be media related, is anyone who is cc'd able to look at what is happening here and assess if it really is fixed? (We'd be interested in knowing what fixed it, if so).

Comment 3 by imasaki@chromium.org, Mar 26 2012

Cc: fischman@chromium.org
This might be relating to  issue 112983 .

fischman@, can you verify this?

Comment 4 by infe...@chromium.org, Mar 26 2012

Labels: Feature-Media
Owner: scherkus@chromium.org
Status: Assigned
Since this is media related, Andrew, can you please help to triage.

Comment 5 by scherkus@chromium.org, Mar 26 2012

Owner: dalecur...@chromium.org
dalecurtis did an FFmpeg roll that may have fixed this

Comment 6 by dalecur...@chromium.org, Mar 26 2012

Looks related to the ffmpeg roll, fixed now. Do you have a chrome crash id I can use to see the stack trace? I might be able to narrow it down to a patch set upstream then.

We won't be able to backport the roll, but if security thinks this is serious enough we can look into backporting the patch(es) which fixed this.

Comment 7 by scarybea...@gmail.com, Mar 26 2012

Do we have a symbolized stack trace?
Is it a browser crash or a renderer crash?

Comment 8 by kenrb@chromium.org, Mar 26 2012

I grabbed a crash id from beta on OS X, not sure if it will be helpful. It looks like the crash is actually during processing of an FTP job.

21ebe89a1dcb11bd

Comment 9 by kenrb@chromium.org, Mar 26 2012

@scarybeasts: Browser crash on NULL deref.

It's probably not worth backporting anything since it's low severity. But I wonder if this might be an FTP bug rather than a media bug, looking at the stack trace and the behavior.

Comment 10 by fischman@chromium.org, Mar 26 2012

Looks like a duplicate of  bug 112983  which I fixed in r121378, which is only present in m19, not m18.

Comment 11 by kenrb@chromium.org, Mar 26 2012

Mergedinto: 112983
Status: Duplicate
@fischman: Yes it does, thanks.

Comment 12 by bugdroid1@chromium.org, Oct 13 2012

Project Member
Labels: Restrict-AddIssueComment-Commit
Mergedinto: chromium:112983
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 13 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-Internals -SecImpacts-Stable -SecImpacts-Beta -SecSeverity-Low -Feature-Media Security-Severity-Low Cr-Internals-Media Security-Impact-Stable Security-Impact-Beta Cr-Internals Type-Bug-Security

Comment 14 by bugdroid1@chromium.org, Mar 13 2013

Project Member
Labels: Restrict-View-EditIssue

Comment 15 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-Low Security_Severity-Low

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 18 by ClusterFuzz, Feb 6 2014

Project Member
Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.

Comment 19 by ClusterFuzz, Feb 6 2014

Project Member
Labels: -Restrict-View-EditIssue
Bulk update: removing view restriction from closed bugs.

Comment 20 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment