Issue metadata
Sign in to add a comment
|
Security: Search prediction service over HTTP crashes Chrome on Linux
Reported by
resea...@nightwatchcybersecurity.com,
Jun 30 2016
|
||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Some of the build in search engines that come with Chrome do not use SSL for the prediction service in the OmniBar. Hijacking the connection and serving large responses will crash Chrome on Linux by running out of memory. This only happens in Linux, on Mac OS, Android and Windows, the request stops after consuming around 10-30 MBs (still not a good thing but not as bad as a crash). We didn't try testing on Android with a slow connection to see if the browser would hang while the download happens.
Search engines are defined in /src/components/search_engines/prepopulated_engines.json, two default ones (AOL and Ask.com) are not using SSL for US/English. We tested those.
The source of the bug seems to be in src/components/omnibox/browser/zero_suggest_provider.cc, lines 312-338, specifically:
fetcher_->SetExtraRequestHeaders(headers.ToString());
fetcher_->Start();
there doesn't seem to be a limit of how big the response can be, although some sort of overall fetch protection seems to kick in for MacOS, Android and Windows.
VERSION
Chrome Version: 51.0.2704.106 (Official Build) (64-bit)
Operating System: Ubuntu 16.04
REPRODUCTION CASE
1. Install DNSMASQ:
sudo apt-get install dnsmasq
2. Install NGINX:
sudo apt-get install nginx
3. Modify the /etc/hosts file to add the following entries to map to the IP of the local computer (varies by vendor of the phone):
192.168.1.x ss.ask.com
4. Configure /etc/dnsmasq.conf file to listed on the IP:
listen-address=192.168.1.x
5. Restart DNSMASQ:
sudo /etc/init.d/dnsmasq restart
6. Use fallocate to create a file in "/var/www/html/"
sudo fallocate -l 5G query
7. Modify DNS settings on the test machine or the same machine to point to "192.168.1.x". If same machine, modify resolve.conf as follows:
nameserver 192.168.1.x
8. Start Chrome, go to settings and choose "Ask.com" as the default search provider.
9. Open new tab and try to type something in the omnibox.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser
Crash State: browser closes, the following log message appears when logging is enabled:
tcmalloc: large alloc 1073741824 bytes == 0x2d2b6ea56000 @
[17724:17761:0630/084551:FATAL:memory_linux.cc(36)] Out of memory.
Aborted (core dumped)
,
Jun 30 2016
We don't consider DoS to be a security vulnerability. See the Chrome Security FAQ: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Are-denial-of-service-issues-considered-security-bugs-
,
Jun 30 2016
Has this changed, because we see similar bugs in the past considered security bugs: https://bugs.chromium.org/p/chromium/issues/detail?id=479162 https://bugs.chromium.org/p/chromium/issues/detail?id=477680 Additionally, since this is a memory overflow, can this result in a RCE? Last, if this is not a security bug, should we refile this as a new bug or feature request, or is this just not going to be fixed? Thanks
,
Jul 13 2016
Also - this happens occasionally on Windows as well.
,
Jul 26 2016
We have publicly disclosed this: https://wwws.nightwatchcybersecurity.com/2016/07/26/research-crashing-browsers-remotely-via-insecure-search-suggestions/
,
Oct 7 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 9 2017
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by resea...@nightwatchcybersecurity.com
, Jun 30 2016