New issue
Advanced search Search tips

Issue 760582 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Sep 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: OOB Vulnerability in Chrome on Windows

Reported by psvitais...@gmail.com, Aug 30 2017

Issue description

VULNERABILITY DETAILS
What is Up i found a OOB Vulnerability in Chrome on Windows It is javescrpit

VERSION
Chrome Version: [60.0.3112.113] + [stable]
Operating System: [Windows 10, 64bit]


Links: https://ghostbin.com/paste/yx5y6

If the link does not work here is a copy of the code:

var i = 0; 
for(i = 0; i < getComputedStyle(document.body).length; i++){
	document.body.innerText+=getComputedStyle(document.body)[i]+"\n";
	for(var x = 0; x < getComputedStyle(document.body)[i].length; i++) {
		document.body.innerText+=getComputedStyle(document.body)[i][x];/*OOB read*/
	}
}
//Rudie Lamprecht
email me at psvitaissoocool@gmail.com


if u need my paypal is is psvitaissoocool@gmail.com
Got a lot more bugs 

 
Its a google chrome Out of Bounds read vulnerability. Could be used to write an exploit for dumping passwords from the memory.

Labels: Needs-Feedback
Can you explain why you think this is an out of bounds read?

This script starts by writing out the first CSS property of the body ("animation-delay").

It then loops, emitting the first letter of each subsequent CSS property until it reaches either 'caret-color' or 'line-break' (depending on Chrome version), after which it throws a script error:

  "Uncaught TypeError: Cannot read property 'length' of undefined"
Project Member

Comment 3 by ClusterFuzz, Sep 6 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5466317225459712.
Cc: nparker@chromium.org elawrence@chromium.org
Status: WontFix (was: Unconfirmed)
CF can't repro this.
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 14 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment