New issue
Advanced search Search tips

Issue 755986 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Aug 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: SOCKS 4/4A HTML injection in malformed socks server ACK response

Reported by n.ava...@gmail.com, Aug 16 2017 
VULNERABILITY DETAILS
With Chrome configured to use SOCKS server, if evil socks server send a malformed ACK like this:
       +----+----+----+----+----+----+----+----+-----------------------
       | VN | CD | DSTPORT |      DSTIP        |<head><title>hacked...
       +----+----+----+----+----+----+----+----+-----------------------
bytes:    1    1      2              4              n byte of code to inject

Chrome Insert the injected code at the beginning of all the pages you visit.
You can then change the content of the pages you visit with malicious code

VERSION
Chrome Version: [60.0.3112.101] + stable
Operating System: Windows all version

REPRODUCTION CASE
in attachment a simple socks 4/4a proxy written in python for linux, You must configure chrome to use socks server on port 1080, So try visiting a website like http://www.ansa.it (not work with https site)

Best Regards
Nicola Avanzi
proxy.py
3.5 KB View Download

Comment 1 by elawrence@chromium.org, Aug 16 2017

Components: Internals>Network>Proxy
Status: WontFix (was: Unconfirmed)
The ability to inject content into HTTP responses is not a security issue. A proxy server inherently has the ability to rewrite all non-secure traffic that flows through it. 

The "malformed ack" shown here is indistinguishable from a properly-formed ACK followed by the content from the target server.
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 23 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment