Vulners
Lucene search
Google Chrome - Renderer Process to Browser Process Privilege Escalation
🗓️ 18 Dec 2015 00:00:00Reported by Google Security ResearchType 
exploitdb🔗 www.exploit-db.com👁 23 Views
Source: https://code.google.com/p/google-security-research/issues/detail?id=664
There is an overflow in the ui::PlatformCursor WebCursor::GetPlatformCursor method. In src/content/common/cursors/webcursor_aurax11.cc&q=webcursor_aurax11.cc, there is the following code:
bitmap.allocN32Pixels(custom_size_.width(), custom_size_.height());
memcpy(bitmap.getAddr32(0, 0), custom_data_.data(), custom_data_.size());
The bitmap buffer is allocated based on the width and height of the custom_size_, but the memcpy is performed using the size of the custom_data_.
These values are set during WebCursor deserialization in src/content/common/cursors/webcursor.cc in WebCursor::Deserialize.
custom_size_ is set from two integers that a deserialized from a message and can be between 0 and 1024. custom_data_ is set from a vector that is deserialized, and can be any size, unrelated to the width and height. The custom_data_ is verified not to be smaller than the expected pixel buffer based on the width and height, but can be longer.
GetPlatformCursor is called indirectly by RenderWidgetHostImpl::OnSetCursor, which is called in response to a ViewHostMsg_SetCursor message from the renderer.
The issue above is in the x11 implementation, but it appears also affect other platform-specific implementations other than the Windows one, which instead reads out of bounds.
I recommend this issue be fixed by changing the check in WebCursor::Deserialize:
if (size_x * size_y * 4 > data_len)
return false;
to
if (size_x * size_y * 4 != data_len)
return false;
to prevent the issue in all platform-specific implementations.
To reproduce the issue replace WebCursor::Serialize with:
bool WebCursor::Serialize(base::Pickle* pickle) const {
if(type_ == WebCursorInfo::TypeCustom){
LOG(WARNING) << "IN SERIALIZE\n";
if (!pickle->WriteInt(type_) ||
!pickle->WriteInt(hotspot_.x()) ||
!pickle->WriteInt(hotspot_.y()) ||
!pickle->WriteInt(2) ||
!pickle->WriteInt(1) ||
!pickle->WriteFloat(custom_scale_))
return false;
}else{
if (!pickle->WriteInt(type_) ||
!pickle->WriteInt(hotspot_.x()) ||
!pickle->WriteInt(hotspot_.y()) ||
!pickle->WriteInt(custom_size_.width()) ||
!pickle->WriteInt(custom_size_.height()) ||
!pickle->WriteFloat(custom_scale_))
return false;
}
const char* data = NULL;
if (!custom_data_.empty())
data = &custom_data_[0];
if (!pickle->WriteData(data, custom_data_.size()))
return false;
return SerializePlatformData(pickle);
}
and visit the attached html page, with the attached image in the same directory.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39039.zipData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Dec 2015 00:00Current
7.4High risk
Vulners AI Score7.4