Lucene search

K
seebugRootSSV:72187
HistoryJul 01, 2014 - 12:00 a.m.

Google Chrome < 14.0.835.163 PDF File Handling Memory Corruption

2014-07-0100:00:00
Root
www.seebug.org
65

EPSS

0.088

Percentile

94.6%

No description provided by source.


                                                ----------------Security Adisory----------------

Title: Google Chrome &#60; 14.0.835.163 PDF File Handling Memory Corruption Vulnerability (CVE-2011-2841)
Sec-Security: Hich
CVE-Number: CVE-2011-2841
Date of discovery: 04/06/2011(MM/DD/YYYY)
Fix date: 06/28/2011(MM/DD/YYYY)
Fixed Version: Google Chrome &#62;= 14.0.835.163 
Discovered by: Mario Gomes


----------------Summary----------------

Google Chrome is a web browser developed by Google that uses the WebKit layout engine. 
It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. 
The name is derived from the graphical user interface frame, or &#34;chrome&#34;, of web browsers. 
As of August 2011, Chrome is the third most widely used browser with 23.16% worldwide usage share of web browsers, according to StatCounter.(From Wikipedia)



----------------Description----------------

Google Chrome suffers from a memory corruption vulnerability that occurs in the manipulation of PDF files. 
The failure occurs when the browser opens an HTML file that contains multiple tag &#60;IFRAME&#62; pointing to a PDF file. 
So it is a memory corruption flaw allows code to run within the sandbox.


----------------Stacktrace----------------

This stracktrace shows a clear memory corruption, because I do not have the symbols of Google&#39;s PDF viewer can not give more details.

(648.41c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=049c4000 ebx=0000efee ecx=049bc7a0 edx=841d63b9 esi=00000000 edi=049bf000
eip=6f3f9332 esp=002feaa0 ebp=002feac4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for D:\Users\Cassio\AppData\Local\Google\Chrome\Application\12.0.742.91\pdf.dll - 
pdf!PPP_GetInterface+0x17be62:
6f3f9332 8b08 mov ecx,dword ptr [eax] ds:0023:049c4000=????????
Stacktrace:
pdf!PPP_GetInterface+0x17be62
pdf!PPP_GetInterface+0x17430f
pdf!PPP_GetInterface+0x172fe1
pdf!PPP_GetInterface+0x28d40
pdf!PPP_GetInterface+0x11db6
pdf!GetPDFDocInfo+0x1944f
pdf!GetPDFDocInfo+0x18cce
pdf!GetPDFDocInfo+0x1868c
pdf!GetPDFDocInfo+0x85ae
pdf!GetPDFDocInfo+0x4432
pdf+0x64d0
pdf!GetPDFDocInfo+0x6f42
pdf!GetPDFDocInfo+0x6d0e
pdf!GetPDFDocInfo+0x49e0
pdf!GetPDFDocInfo+0x37be
pdf!GetPDFDocInfo+0x3792
pdf!GetPDFDocInfo+0x3db1
chrome_63700000!WebCore::DocumentLoader::finishedLoading+0x31
chrome_63700000!WebCore::FrameLoader::finishedLoading+0x26
chrome_63700000!WebCore::MainResourceLoader::didFinishLoading+0x5c
chrome_63700000!WebCore::ResourceLoader::didFinishLoading+0xe
chrome_63700000!WebCore::ResourceHandleInternal::didFinishLoading+0x35
chrome_63700000!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest+0x10c
chrome_63700000!ResourceDispatcher::OnRequestComplete+0x43
chrome_63700000!IPC::MessageWithTuple&#60;Tuple4&#60;int,net::URLRequestStatus,std::basic_string&#60;char,std::char_traits&#60;char&#62;,std::alloc+0x4d
chrome_63700000!ResourceDispatcher::DispatchMessageW+0x4f
chrome_63700000!ResourceDispatcher::OnMessageReceived+0xbb
chrome_63700000!ChildThread::OnMessageReceived+0x1b
chrome_63700000!RunnableMethod&#60;notifier::MediatorThreadImpl::Core,void (__thiscall notifier::MediatorThreadImpl::Core::*)(std::+0x17
chrome_63700000!MessageLoop::RunTask+0x7d
chrome_63700000!MessageLoop::DeferOrRunPendingTask+0x28
chrome_63700000!MessageLoop::DoWork+0x71
chrome_63700000!base::MessagePumpDefault::Run+0xc2
chrome_63700000!MessageLoop::RunInternal+0x31
chrome_63700000!MessageLoop::RunHandler+0x17
chrome_63700000!MessageLoop::Run+0x15
chrome_63700000!RendererMain+0x309
chrome_63700000!ChromeMain+0x653
chrome!MainDllLoader::Launch+0xf0
chrome!wWinMain+0xef
chrome!__tmainCRTStartup+0x112
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x70
ntdll!_RtlUserThreadStart+0x1b


----------------Tested On----------------

Microsoft Windows XP Professional Service Pack 3 (Brazilian Portuguese)

----------------Proof-of-concept----------------

Poc in HTML File: http://pastebin.com/DBUGWbQM
The PDF file needed can be found here: http://www.irs.gov/pub/irs-pdf/fw4.pdf

Download both files here:
http://www.exploit-db.com/sploits/17929.zip


----------------Steps to Reproduce----------------

1. Create the file poc.html with this code http://pastebin.com/DBUGWbQM
2. Download the PDF file here and save in same folder
3. Open the poc.html with fw4.pdf in same folder.


----------------Vulnerability Timeline(MM/DD/YYYY)----------------

[04/06/2011] Vulnerability is discovered and sent to the vendor.
[04/06/2011] The Google security team confirm the vulnerability and updates the status.
[06/13/2011] More information about the vulnerability is sent.
[07/28/2011] Vulnerability is fixed and the vendor announces the launch of the patch is version 14.
[09/16/2011] The vendor released version 14 with the flaw fixed.
[10/03/2011] Coordinated public security advisory released.

----------------References----------------

Google Release Notes Post(http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html)
CVE Number(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2841)
Chromium Bug Tracker Bug Id(http://code.google.com/p/chromium/issues/detail?id=78639)
Vulnerability Blog Post(http://net-fuzzer.blogspot.com/2011/10/google-chrome-140835163-pdf-file.html)



----------------Vulnerability Credits----------------
Mario Gomes Security Researcher and Pen-tester, Goiania - GO, Brazil
Blog http://net-fuzzer.blogspot.com
Contact [email protected]

----------------End of Advisory----------------