New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 1414 link

Starred by 4 users

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Sep 2008
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 0
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment

Chrome Buffer Overlow Vulnerability - "SaveAs" Function

Reported by s...@bkav.com.vn, Sep 5 2008

Issue description

SVRT - Bkis have just discovered vulnerability in Google Chrome 0.2.149.27
and would like to inform you with this. Here comes the report:

Details:

- Type of Issue: Buffer Overflow.

- Affected Software: Google Chrome 0.2.149.27.	

- Exploitation Environment: Google Chrome (Language: Vietnamese) on Windows
XP SP2.

- Impact: Remote code execution

- Description: 
The vulnerability is caused due to a boundary error when handling the
“SaveAs” function. On saving a malicious page with an overly long title
(<title> tag in HTML), the program causes a stack-based overflow and makes
it possible for attackers to execute arbitrary code on users’ systems.

- How an attacker could exploit the issue : 
To exploit the Vulnerability, a hacker might construct a specially crafted
Web page, which contains malicious code. He then tricks users into visiting
his Website and convinces them to save this Page. Right after that, the
code would be executed, giving him the privilege to make use of the
affected system.

- Exploitation code: Proof of Concept: Crash (Attached to this document).

- Researcher: AnhLD – SVRT member.

- About SVRT :
Bkis Vietnam is a security research center in Vietnam. SVRT, which is short
for Security Vulnerability Research Team, is one of Bkis researching
groups. SVRT specializes in the detection, alert and announcement of
security vulnerabilities in software, operating systems, network protocols
and embedded systems...

- Contact detail:
Name: Security Vulnerability Research Team.

Bach Khoa Internetwork Security Center (Bkis)
Hanoi University of Technology (Vietnam)

Office: 5th Floor, Hitech building - 1A Dai Co Viet, Hanoi
Email: svrt@bkav.com.vn 
WebBlog: security.bkis.vn
Website: www.bkav.com.vn 




 
Chrome-Poc.html
3.5 KB View Download
Thank you for the report.  This is likely another way to tickle the same issue we're
tracking internally at <http://b/issue?id=1361369>.  We'll keep you advised of our
progress on this issue.
Status: Started
Patch in hand.  Building release candidate.
Status: FixUnreleased
Thank you for disclosing this responsibly. We have reproduced the issues and believe 
we have developed a fix.

revision 1766 (http://src.chromium.org/viewvc/chrome?view=rev&revision=1766) has been 
applied to our release branch to address this issue.

QA: Please use the test case provided in this issue (open the file and then right-
click > Save As...) to verify the fix.

I'll continue to update this issue with expected timelines for when we have verified 
the fix and when we start updating users.

Anantha: we need to assign a verifier for build 149.28. 

Comment 4 by lcam...@gmail.com, Sep 5 2008

This just got posted publicly on a mailing list:

Date: Fri, 05 Sep 2008 20:12:49 +0700
From: SVRT <svrt@bkav.com.vn>
To: full-disclosure@lists.grok.org.uk
Subject: Google Chrome 0.2.149.27 'SaveAs' Function Buffer Overflow Vulnerability

Verified that I get a 'This file name is invalid' error when I try to save the HTML 
file through the 'Save As' option.
Labels: -private
Status: Verified

Comment 7 by jsc...@chromium.org, Mar 21 2011

Labels: Type-Security
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 9 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security Type-Bug-Security
Labels: allpublic

Sign in to add a comment