Don't use Chrome to browse this article, it will crash! - Vulnerability warning-the black bar safety net

2015-09-22T00:00:00
ID MYHACK58:62201567258
Type myhack58
Reporter 佚名
Modified 2015-09-22T00:00:00

Description

! Earlier there 8 characters makes Skype crash example, today we refer to is 1 6 characters make Chrome crash, you just need to click which 1 of 6 characters, and even the mouse just in this 1 6 bytes of the link moving around can cause Chrome to crash. Challenge Google Chrome: just 1 6 characters This Bug is Andris Atteka first found, in his blog he explains just need the URL to add a null character can easily makes Chrome crash. In its blog, The examples have 2 to 6 characters long, and we had some streamlining, and finally only 1 to 6 characters can make Chrome crash. ! Next, you can Chrome45 latest stable version and the earlier version in the browser address bar enter the following characters: http://a/%%30%30 Test Note the mouse moving around you can trigger a crash after refresh the page. http://a/%%30%30 Your browser tab or the entire browser will crash Pro-test, the mouse is triggered after the page crash: ! ! Atteka now have to Google to report this Bug(Chromium issue: the ! However, since Google considers this Bug itself is not a security issue, so Atteka did not get any reward, but can easily be seen in this Bug user impact is relatively large. In the link on hover of the mouse, click on the link can lead you to the Chrome tab to crash, even with the other tabs: ! In our tests, Chrome for Windows and Chrome for Mac are affected. It is interesting that I on Android version can't reproduce this Bug. No matter where I am to insert the null character, are unable to reproduce this Bug. Why is this so? Data security of cattle reported, the issue is produced by: · URL of the tail end of the%%3 0 0 is converted into a%0 0, which is 0x30 is the ASCII code of 0, so it is in the URL at the end to insert a null byte; · This URL is passed to the GURLToDatabaseURL()function, the function call ReplaceComponents()function; · The above behavior is caused by the URL being repeated processing, and proceeds to empty bytes. Browser think that the null byte should not appear, then mark the URL as invalid; · The code path and return to The code path returns to GURLToDatabaseURL() function, but the function that this URL should be valid, and then calling spec()function; · But the URL is actually invalid, so the DCHECK()function cause the software to bail out; and · When the mouse pointer stays in the URL above, this is considered an invalid URL is sent to the browser thinks is the effective address of the processing section, and eventually the tab crashes.