New issue
Advanced search Search tips

Issue 624779 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jun 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Search prediction service over HTTP crashes Chrome on Linux

Reported by resea...@nightwatchcybersecurity.com, Jun 30 2016

Issue description

VULNERABILITY DETAILS
Some of the build in search engines that come with Chrome do not use SSL for the prediction service in the OmniBar. Hijacking the connection and serving large responses will crash Chrome on Linux by running out of memory. This only happens in Linux, on Mac OS, Android and Windows, the request stops after consuming around 10-30 MBs (still not a good thing but not as bad as a crash). We didn't try testing on Android with a slow connection to see if the browser would hang while the download happens.

Search engines are defined in /src/components/search_engines/prepopulated_engines.json, two default ones (AOL and Ask.com) are not using SSL for US/English. We tested those.

The source of the bug seems to be in src/components/omnibox/browser/zero_suggest_provider.cc, lines 312-338, specifically:

    fetcher_->SetExtraRequestHeaders(headers.ToString());
    fetcher_->Start();

there doesn't seem to be a limit of how big the response can be, although some sort of overall fetch protection seems to kick in for MacOS, Android and Windows.

VERSION
Chrome Version: 51.0.2704.106 (Official Build) (64-bit)
Operating System: Ubuntu 16.04

REPRODUCTION CASE
1. Install DNSMASQ:
sudo apt-get install dnsmasq

2. Install NGINX:
sudo apt-get install nginx

3. Modify the /etc/hosts file to add the following entries to map to the IP of the local computer (varies by vendor of the phone):

192.168.1.x ss.ask.com

4. Configure /etc/dnsmasq.conf file to listed on the IP:
listen-address=192.168.1.x

5. Restart DNSMASQ:
sudo /etc/init.d/dnsmasq restart

6. Use fallocate to create a file in "/var/www/html/"
sudo fallocate -l 5G query

7. Modify DNS settings on the test machine or the same machine to point to "192.168.1.x". If same machine, modify resolve.conf as follows:
nameserver 192.168.1.x

8. Start Chrome, go to settings and choose "Ask.com" as the default search provider.
9. Open new tab and try to type something in the omnibox.


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser
Crash State: browser closes, the following log message appears when logging is enabled:

tcmalloc: large alloc 1073741824 bytes == 0x2d2b6ea56000 @ 
[17724:17761:0630/084551:FATAL:memory_linux.cc(36)] Out of memory.
Aborted (core dumped)



 

Comment 2 by palmer@chromium.org, Jun 30 2016

Status: WontFix (was: Unconfirmed)
We don't consider DoS to be a security vulnerability. See the Chrome Security FAQ: https://www.chromium.org/Home/chromium-security/security-faq#TOC-Are-denial-of-service-issues-considered-security-bugs-
Has this changed, because we see similar bugs in the past considered security bugs:
https://bugs.chromium.org/p/chromium/issues/detail?id=479162
https://bugs.chromium.org/p/chromium/issues/detail?id=477680

Additionally, since this is a memory overflow, can this result in a RCE?

Last, if this is not a security bug, should we refile this as a new bug or feature request, or is this just not going to be fixed?

Thanks
Also - this happens occasionally on Windows as well.
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 7 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: ya...@nightwatchcybersecurity.com

Sign in to add a comment