Lucene search

K

Google Chrome 14.0.835.163 - .pdf File Handling Memory Corruption

🗓️ 04 Oct 2011 00:00:00Reported by Mario GomesType 
exploitpack
 exploitpack
👁 35 Views

Google Chrome PDF Memory Corruption Vulnerabilit

Show more
Related
Code
ReporterTitlePublishedViews
Family
Prion
Code injection
19 Sep 201112:02
prion
Exploit DB
Google Chrome < 14.0.835.163 - '.pdf' File Handling Memory Corruption
4 Oct 201100:00
exploitdb
Debian CVE
CVE-2011-2841
19 Sep 201112:02
debiancve
NVD
CVE-2011-2841
19 Sep 201112:02
nvd
CVE
CVE-2011-2841
19 Sep 201112:02
cve
seebug.org
Google Chrome < 14.0.835.163 PDF File Handling Memory Corruption
5 Oct 201100:00
seebug
seebug.org
Google Chrome < 14.0.835.163 PDF File Handling Memory Corruption
1 Jul 201400:00
seebug
UbuntuCve
CVE-2011-2841
19 Sep 201100:00
ubuntucve
Cvelist
CVE-2011-2841
17 Sep 201110:00
cvelist
OpenVAS
Google Chrome Multiple Vulnerabilities - Sep11 (Windows)
23 Sep 201100:00
openvas
Rows per page
----------------Security Adisory----------------

Title: Google Chrome < 14.0.835.163 PDF File Handling Memory Corruption Vulnerability (CVE-2011-2841)
Sec-Security: Hich
CVE-Number: CVE-2011-2841
Date of discovery: 04/06/2011(MM/DD/YYYY)
Fix date: 06/28/2011(MM/DD/YYYY)
Fixed Version: Google Chrome >= 14.0.835.163 
Discovered by: Mario Gomes


----------------Summary----------------

Google Chrome is a web browser developed by Google that uses the WebKit layout engine. 
It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. 
The name is derived from the graphical user interface frame, or "chrome", of web browsers. 
As of August 2011, Chrome is the third most widely used browser with 23.16% worldwide usage share of web browsers, according to StatCounter.(From Wikipedia)



----------------Description----------------

Google Chrome suffers from a memory corruption vulnerability that occurs in the manipulation of PDF files. 
The failure occurs when the browser opens an HTML file that contains multiple tag <IFRAME> pointing to a PDF file. 
So it is a memory corruption flaw allows code to run within the sandbox.


----------------Stacktrace----------------

This stracktrace shows a clear memory corruption, because I do not have the symbols of Google's PDF viewer can not give more details.

(648.41c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=049c4000 ebx=0000efee ecx=049bc7a0 edx=841d63b9 esi=00000000 edi=049bf000
eip=6f3f9332 esp=002feaa0 ebp=002feac4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for D:\Users\Cassio\AppData\Local\Google\Chrome\Application\12.0.742.91\pdf.dll - 
pdf!PPP_GetInterface+0x17be62:
6f3f9332 8b08 mov ecx,dword ptr [eax] ds:0023:049c4000=????????
Stacktrace:
pdf!PPP_GetInterface+0x17be62
pdf!PPP_GetInterface+0x17430f
pdf!PPP_GetInterface+0x172fe1
pdf!PPP_GetInterface+0x28d40
pdf!PPP_GetInterface+0x11db6
pdf!GetPDFDocInfo+0x1944f
pdf!GetPDFDocInfo+0x18cce
pdf!GetPDFDocInfo+0x1868c
pdf!GetPDFDocInfo+0x85ae
pdf!GetPDFDocInfo+0x4432
pdf+0x64d0
pdf!GetPDFDocInfo+0x6f42
pdf!GetPDFDocInfo+0x6d0e
pdf!GetPDFDocInfo+0x49e0
pdf!GetPDFDocInfo+0x37be
pdf!GetPDFDocInfo+0x3792
pdf!GetPDFDocInfo+0x3db1
chrome_63700000!WebCore::DocumentLoader::finishedLoading+0x31
chrome_63700000!WebCore::FrameLoader::finishedLoading+0x26
chrome_63700000!WebCore::MainResourceLoader::didFinishLoading+0x5c
chrome_63700000!WebCore::ResourceLoader::didFinishLoading+0xe
chrome_63700000!WebCore::ResourceHandleInternal::didFinishLoading+0x35
chrome_63700000!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest+0x10c
chrome_63700000!ResourceDispatcher::OnRequestComplete+0x43
chrome_63700000!IPC::MessageWithTuple<Tuple4<int,net::URLRequestStatus,std::basic_string<char,std::char_traits<char>,std::alloc+0x4d
chrome_63700000!ResourceDispatcher::DispatchMessageW+0x4f
chrome_63700000!ResourceDispatcher::OnMessageReceived+0xbb
chrome_63700000!ChildThread::OnMessageReceived+0x1b
chrome_63700000!RunnableMethod<notifier::MediatorThreadImpl::Core,void (__thiscall notifier::MediatorThreadImpl::Core::*)(std::+0x17
chrome_63700000!MessageLoop::RunTask+0x7d
chrome_63700000!MessageLoop::DeferOrRunPendingTask+0x28
chrome_63700000!MessageLoop::DoWork+0x71
chrome_63700000!base::MessagePumpDefault::Run+0xc2
chrome_63700000!MessageLoop::RunInternal+0x31
chrome_63700000!MessageLoop::RunHandler+0x17
chrome_63700000!MessageLoop::Run+0x15
chrome_63700000!RendererMain+0x309
chrome_63700000!ChromeMain+0x653
chrome!MainDllLoader::Launch+0xf0
chrome!wWinMain+0xef
chrome!__tmainCRTStartup+0x112
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x70
ntdll!_RtlUserThreadStart+0x1b


----------------Tested On----------------

Microsoft Windows XP Professional Service Pack 3 (Brazilian Portuguese)

----------------Proof-of-concept----------------

Poc in HTML File: http://pastebin.com/DBUGWbQM
The PDF file needed can be found here: http://www.irs.gov/pub/irs-pdf/fw4.pdf

Download both files here:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17929.zip


----------------Steps to Reproduce----------------

1. Create the file poc.html with this code http://pastebin.com/DBUGWbQM
2. Download the PDF file here and save in same folder
3. Open the poc.html with fw4.pdf in same folder.


----------------Vulnerability Timeline(MM/DD/YYYY)----------------

[04/06/2011] Vulnerability is discovered and sent to the vendor.
[04/06/2011] The Google security team confirm the vulnerability and updates the status.
[06/13/2011] More information about the vulnerability is sent.
[07/28/2011] Vulnerability is fixed and the vendor announces the launch of the patch is version 14.
[09/16/2011] The vendor released version 14 with the flaw fixed.
[10/03/2011] Coordinated public security advisory released.

----------------References----------------

Google Release Notes Post(http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html)
CVE Number(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2841)
Chromium Bug Tracker Bug Id(http://code.google.com/p/chromium/issues/detail?id=78639)
Vulnerability Blog Post(http://net-fuzzer.blogspot.com/2011/10/google-chrome-140835163-pdf-file.html)



----------------Vulnerability Credits----------------
Mario Gomes Security Researcher and Pen-tester, Goiania - GO, Brazil
Blog http://net-fuzzer.blogspot.com
Contact [email protected]

----------------End of Advisory----------------

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
04 Oct 2011 00:00Current
0.8Low risk
Vulners AI Score0.8
EPSS0.103
35
.json
Report