New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 147642 link

Starred by 3 users

Issue metadata

Status: Untriaged
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

xinput1_3.dll in chrome folder is not build with ASLR

Reported by cimstor...@gmail.com, Sep 10 2012

Issue description

Chrome Version       : 21.0.1180.89 m
URLs (if applicable) :C:\Users\cimsto\AppData\Local\Google\Chrome\Application\21.0.1180.89\xinput1_3.dll

This is a dll that is a part of directX.You can find it in the home directory of chrome. On a new win 7 machine fully up to date is it not build with ASLR. When a file is not build with ASLR can it be used to bypass ASLR + DEP in chrome. Even with this file being just 80KB is it still a big chance for a ROP payload to be possible. I tested mona.py on it but it didn't work. This would be since mona relies on a simple algorithm. 

What steps will reproduce the problem?
1. Check if the dll is build with aslr, you can use things like PeStudio369 or a debugger.
2.
3.

What is the expected result?
That is is build with ASLR

What happens instead?
Its not build with ASLR

Please provide any additional information below. Attach a screenshot if
possible.

This is something that an attacker might use in there exploit chain at Pwnium.
 

Comment 1 by mega...@gmail.com, Sep 10 2012

I think MS frowns on bundling DirectX DLLs with an application.  The application is supposed to run the DirectX installer at install time instead so the latest versions of the proper DLLs are installed to the system path.

Isn't Xinput DLL for Xbox 360 controllers?  Is this for the gamepad API or something?
Yes this DLL will only be loaded when the user interacts with a gamepad. cc https://groups.google.com/a/chromium.org/forum/?fromgroups=#!topic/chromium-reviews/Ovp4dVRTu8c

As it is being used by chrome, not building it with ASLR is a problem. From platform_data_fetcher_win.h
"We include  xinput1_3.dll with Chrome."
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Undefined

Comment 4 by wfh@chromium.org, Nov 12 2014

Cc: cpu@chromium.org jsc...@chromium.org rvargas@chromium.org
Labels: Cr-Security
Status: Untriaged
we should investigate whether we can bundle a version of xinput DLL that supports ASLR

Comment 5 by jsc...@chromium.org, Nov 13 2014

MS hasn't updated this DLL since 2010, and last we asked things went nowhere. However, it does have a relocation section, so we should be able to use the process mitigations API to guarantee that it will be relocated on win7+, or we can get really ugly and just stomp on the prefered base address of the one we ship.
Cc: -rvargas@chromium.org

Comment 7 by cpu@chromium.org, May 18 2016

Cc: -cpu@chromium.org

Sign in to add a comment