lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 14 Mar 2013 00:39:18 -0300
From: Heyder Andrade <heyder.andrade@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Chrome Null Pointer in
	InspectDataSource::StartDataRequest


---| overview

Vulnerability: Chrome Null Pointer in InspectDataSource::StartDataRequest
Date: 03/14/2012
Author: @HeyderAndrade (heyder.andrade[at]gmail[dot]com)
Chrome Version: =< 21.0.1180.57 stable
Operating System Tested: Win XP SP2, WIN7, Mac OS X 10.6.8 (10K549),Linux Ubuntu 12.04
Architecture: x86 and Amd64

---| steps will reproduce this crash

1. Open the browser and visit any site that has an SSL certificate signed by a CA not trusted.
an ssl error will be showed, DON'T click "proceed anayway".
2. Open a new tab and access chrome://inspect

ps. I believe it should work with any ssl error, but i tested only  with no valid CA error.

---| original OSX Crash Report

 Process:         Google Chrome [767]
 Path:            /Applications/Google Chrome.app/Contents/MacOS/Google Chrome
 Identifier:      com.google.Chrome
 Version:         21.0.1180.57 (1180.57)
 Code Type:       X86 (Native)
 Parent Process:  launchd [158]

 Date/Time:       2012-08-08 22:53:09.442 -0300
 OS Version:      Mac OS X 10.6.8 (10K549)
 Report Version:  6

 Interval Since Last Report:          19713 sec
 Crashes Since Last Report:           1
 Per-App Interval Since Last Report:  19374 sec
 Per-App Crashes Since Last Report:   1
 Anonymous UUID:                      B5BA5F00-E166-4923-9393-E0FC63561975

 Exception Type:  EXC_BAD_ACCESS (SIGBUS)
 Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
 Crashed Thread:  0  CrBrowserMain  Dispatch queue: com.apple.main-thread

---| source code

This vulnerability lies in the function call DCHECK (line 118 of the inspect_ui.cc)
the render_process_host can be NULL.

 file:     browser/ui/webui/inspect_ui.cc
 line:     188
 function: DCHECK(render_process_host);

---| source code fix

if (!render_process_host->HasConnection())
  continue;


---| timeline of disclosure

- discovery vulnerability  		- Ago 08, 2012
- code.google.com report   	- Aug 15, 2012
- Chromium community fix   	- Oct 11, 2012
- This disclosure          			- Mar 14, 2013

---| references

https://chromiumcodereview.appspot.com/11066114/ (for some reason this issue was removed)
https://code.google.com/p/chromium/issues/detail?id=142979 (no public)



View attachment "gdb_linux.txt" of type "text/plain" (31396 bytes)





Heyder Andrade
heyder.andrade@...il.com




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists