New issue
Advanced search Search tips
Starred by 1 user
Status: Fixed
Owner:
Closed: Nov 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
Security: google chrome crashes when a request passes through a proxy and recieves a 407 HTTP error code from the server
Reported by mohammed...@gmail.com, Nov 3 2010 Back to list
VULNERABILITY DETAILS
Any server may host a page returning 407 Proxy Authentication Required and cause a google chrome crash on client side.
I'm not expert in exploiting these vulnerabilities but may be this is exploitable in a more dangerous manner.

VERSION
Chrome Version: [7.0.517.41] + [stable]
Operating System: [Windows, XP, SP3  + Linux]

REPRODUCTION CASE
The bug can be reproduced in this manner :

1- An outgoing anonymous proxy (not using authentication) has to be configured in chrome
2- go to a server that responds with a 407 Proxy Authentication Required page. Here is an example (you have permission to go to this page but please use with caution) :
https://www.denyall.com/otrs/test.pl

for now I was not able to reproduce it on a HTTP page. It seems to happen only on HTTPS pages.

Type of crash: [browser]
Crash State: [see attached dump file ans screenshot obtained with windbg.exe ]
Client ID (if relevant): "ABEA0F66-899E-43F8-9D28-62408978139A"

Please do not hesitate to ask me more questions/information if needed.

Best Regards,
--
Mohamed Bouhlel
mbouhlel@denyall.com
mohammed.bouhlel@gmail.com

Tel : +33 (0)1 40 07 47 23
Fax : +33 (0)1 40 07 47 27
Deny All - 23, rue Notre Dame des Victoires - 75002 Paris - France

www.denyall.com
--



 
chrome-7.0.517.41.dmp
48.6 KB Download
windbg-chrome-dump.png
46.6 KB View Download
Labels: SecSeverity-Low
Looks like a NULL deref in the browser process. Marking as now severity for now; will investigate further.
Labels: -Area-Undefined -SecSeverity-Low Area-Internals Internals-Network
Can't get this to repro on stable or dev, and my initial severity estimate was just based on the crash state.

@eroman - can you take a look?
To reproduce, just use an anonymous proxy in chrome an visit this page : https://www.denyall.com/otrs/test.pl
Mohammed, can you please get us a crash report - http://www.chromium.org/for-testers/bug-reporting-guidelines/reporting-crash-bug. 
Status: Assigned
I can reproduce quite easily on canary. Here is a report and callstack:

http://crash/reportdetail?reportid=ff21d2eb75259ace

Thread 9 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000000 )

0x6afe25d6	 [chrome.dll	 - http_network_transaction.cc:1094]	net::HttpNetworkTransaction::HandleAuthChallenge()
0x6afe199b	 [chrome.dll	 - http_network_transaction.cc:764]	net::HttpNetworkTransaction::DoReadHeadersComplete(int)
0x6afe1222	 [chrome.dll	 - http_network_transaction.cc:487]	net::HttpNetworkTransaction::DoLoop(int)
0x6afe1091	 [chrome.dll	 - http_network_transaction.cc:431]	net::HttpNetworkTransaction::OnIOComplete(int)
0x6a7f8d44	 [chrome.dll	 - callback.h:119]	CallbackImpl<browser_sync::ForeignSessionHandler,void ( browser_sync::ForeignSessionHandler::*)(ListValue const *),Tuple1<ListValue const *> >::RunWithParams(Tuple1<ListValue const *> const &)
0x6b013c95	 [chrome.dll	 - http_stream_parser.cc:132]	net::HttpStreamParser::OnIOComplete(int)
0x6a9ca246	 [chrome.dll	 - callback.h:119]	CallbackImpl<net::SOCKSClientSocket,void ( net::SOCKSClientSocket::*)(int),Tuple1<int> >::RunWithParams(Tuple1<int> const &)
0x6aff0db9	 [chrome.dll	 - ssl_client_socket_nss.cc:1241]	net::SSLClientSocketNSS::DoReadCallback(int)
0x6aff12c7	 [chrome.dll	 - ssl_client_socket_nss.cc:1480]	net::SSLClientSocketNSS::BufferRecvComplete(int)
0x6a9ca246	 [chrome.dll	 - callback.h:119]	CallbackImpl<net::SOCKSClientSocket,void ( net::SOCKSClientSocket::*)(int),Tuple1<int> >::RunWithParams(Tuple1<int> const &)
0x6aff3d44	 [chrome.dll	 - tcp_client_socket_win.cc:742]	net::TCPClientSocketWin::DoReadCallback(int)
0x6aff3e7d	 [chrome.dll	 - tcp_client_socket_win.cc:799]	net::TCPClientSocketWin::DidCompleteRead()
0x6aff316f	 [chrome.dll	 - tcp_client_socket_win.cc:263]	net::TCPClientSocketWin::Core::ReadDelegate::OnObjectSignaled(void *)
0x6a720c70	 [chrome.dll	 - object_watcher.cc:30]	base::ObjectWatcher::Watch::Run()
0x6a7074e1	 [chrome.dll	 - message_loop.cc:416]	MessageLoop::RunTask(Task *)
0x6a707568	 [chrome.dll	 - message_loop.cc:425]	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &)
0x6a707702	 [chrome.dll	 - message_loop.cc:532]	MessageLoop::DoWork()
0x6a71d076	 [chrome.dll	 - message_pump_win.cc:463]	base::MessagePumpForIO::DoRunLoop()
0x6a71cb0d	 [chrome.dll	 - message_pump_win.cc:49]	base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate *,base::MessagePumpWin::Dispatcher *)
0x6a71c9c0	 [chrome.dll	 - message_pump_win.h:80]	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x6a707287	 [chrome.dll	 - message_loop.cc:264]	MessageLoop::RunInternal()
0x6a707205	 [chrome.dll	 - message_loop.cc:236]	MessageLoop::RunHandler()
0x6a7071b3	 [chrome.dll	 - message_loop.cc:214]	MessageLoop::Run()
0x6b11c4f6	 [chrome.dll	 - thread.cc:140]	base::Thread::Run(MessageLoop *)
0x6b11c5a2	 [chrome.dll	 - thread.cc:164]	base::Thread::ThreadMain()
0x6a70fa89	 [chrome.dll	 - platform_thread_win.cc:26]	`anonymous namespace'::ThreadFunc(void *)
0x762b3676	 [kernel32.dll	 + 0x00013676]	BaseThreadInitThunk
0x77ae9d41	 [ntdll.dll	 + 0x00039d41]	__RtlUserThreadStart
0x77ae9d14	 [ntdll.dll	 + 0x00039d14]	_RtlUserThreadStart
Chris can you take a look at this?
Yes. 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=65225

------------------------------------------------------------------------
r65225 | cbentzel@chromium.org | Fri Nov 05 11:31:10 PDT 2010

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/http/http_network_transaction.cc?r1=65225&r2=65224&pathrev=65225
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/http/http_network_transaction_unittest.cc?r1=65225&r2=65224&pathrev=65225

Crash fix: HTTPS server responds with 407 through non-authenticating proxy.

Now, HttpNetworkTransaction::HandleAuthChallenge returns ERR_INVALID_PROXY_AUTHENTICATE when this is detected.

BUG= 61701 
TEST=net_unittests --gtest_filter="*HttpsServerRequestsProxyAuthThroughProxy*"

Review URL: http://codereview.chromium.org/4575001
------------------------------------------------------------------------
Hi chomium team,
Thank you for the fix and the great job.
What about security sevirity level. Will it be updated later ?
thanks,

Labels: SecSeverity-Low
Looks like a clean NULL pointer, so not particularly severe.
Labels: -Pri-0 Pri-2 OS-All
Status: FixUnreleased
merged to M8 in r65245
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=65245

------------------------------------------------------------------------
r65245 | inferno@chromium.org | Fri Nov 05 13:28:18 PDT 2010

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/552/src/net/http/http_network_transaction_unittest.cc?r1=65245&r2=65244&pathrev=65245
 M http://src.chromium.org/viewvc/chrome/branches/552/src/net/http/http_network_transaction.cc?r1=65245&r2=65244&pathrev=65245

Merge 65225 - Crash fix: HTTPS server responds with 407 through non-authenticating proxy.

Now, HttpNetworkTransaction::HandleAuthChallenge returns ERR_INVALID_PROXY_AUTHENTICATE when this is detected.

BUG= 61701 
TEST=net_unittests --gtest_filter="*HttpsServerRequestsProxyAuthThroughProxy*"

Review URL: http://codereview.chromium.org/4575001

Review URL: http://codereview.chromium.org/4526002
------------------------------------------------------------------------
Labels: ReleaseBlock-Stable
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=65258

------------------------------------------------------------------------
r65258 | inferno@chromium.org | Fri Nov 05 15:09:39 PDT 2010

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/552/src/net/http/http_network_transaction_unittest.cc?r1=65258&r2=65257&pathrev=65258
 M http://src.chromium.org/viewvc/chrome/branches/552/src/net/http/http_network_transaction.cc?r1=65258&r2=65257&pathrev=65258

Revert 65245 - Merge 65225 - Crash fix: HTTPS server responds with 407 through non-authenticating proxy.

Now, HttpNetworkTransaction::HandleAuthChallenge returns ERR_INVALID_PROXY_AUTHENTICATE when this is detected.

BUG= 61701 
TEST=net_unittests --gtest_filter="*HttpsServerRequestsProxyAuthThroughProxy*"

Review URL: http://codereview.chromium.org/4575001

Review URL: http://codereview.chromium.org/4526002

TBR=inferno@chromium.org
Review URL: http://codereview.chromium.org/4604001
------------------------------------------------------------------------
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=65259

------------------------------------------------------------------------
r65259 | inferno@chromium.org | Fri Nov 05 15:11:58 PDT 2010

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/552/src/net/http/http_network_transaction.cc?r1=65259&r2=65258&pathrev=65259

Merge 65225 - Doing this without unittest which breaks the compile.

Crash fix: HTTPS server responds with 407 through non-authenticating proxy.

Now, HttpNetworkTransaction::HandleAuthChallenge returns ERR_INVALID_PROXY_AUTHENTICATE when this is detected.

BUG= 61701 
TEST=net_unittests --gtest_filter="*HttpsServerRequestsProxyAuthThroughProxy*"

Review URL: http://codereview.chromium.org/4575001

Review URL: http://codereview.chromium.org/4606001
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityNotify
Status: Fixed
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member Comment 21 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 22 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-Internals -Internals-Network -SecSeverity-Low -Type-Security -SecImpacts-Stable Security-Severity-Low Security-Impact-Stable Cr-Internals Cr-Internals-Network Type-Bug-Security
Project Member Comment 23 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Low Security_Severity-Low
Project Member Comment 24 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Labels: allpublic
Sign in to add a comment