| New User, Welcome! Login |
<< Previous Next >>
Google Chrome
II. DESCRIPTION
Remote exploitation of a memory corruption vulnerability in WebKit, as
included with multiple vendors' browsers, could allow an attacker to
execute arbitrary code with the privileges of the current user. Google
Chrome browsers to parse and render web content.
The vulnerability occurs when the a certain property of an HTML element
with a caption is reset via JavaScript code. When this occurs, a C++
object is incorrectly accessed after it has been freed. This results in
an attacker controlled value being used as a C++ VTABLE, which leads to
and other browsers
-----------------------------
URL: http://websecurity.com.ua/4206/
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer
8, Google Chrome, Opera and other browsers.
-----------------------------
Timeline:
16.05.2010 - found vulnerability.
17.05.2010 - disclosed at my site.
created by an attacker. An attacker typically accomplishes this via
social engineering or injecting content into compromised, trusted
sites. After the user visits the malicious web page, no further user
interaction is needed.
WebKit is used by multiple applications, including Google Chrome and
Apple Safari (including Safari on the iPhone). Affected versions are
listed in the Detection field of this report.
IV. DETECTION
>
> Vulnerable version is Opera 9.52 and previous versions (and potentially
> next
> versions too).
>
> Vulnerable version is Google Chrome 2.0.172 and previous versions. At that
> Google Chrome 1.0.154.48 is not vulnerable - it's possible that vulnerable
> is only Chrome 2.x.
>
> I mentioned about this vulnerability at my site
> (http://websecurity.com.ua/3338/).
>> -----------------------------
>> URL: http://websecurity.com.ua/4206/
>> -----------------------------
>> Affected products: Mozilla Firefox, Internet Explorer 6, Internet
>> Explorer
>> 8, Google Chrome, Opera and other browsers.
>> -----------------------------
>> Timeline:
>>
>> 16.05.2010 - found vulnerability.
>> 17.05.2010 - disclosed at my site.
refresh: 0;
URL=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b
Via data: it's possible to bypass in Firefox 3.0.9 and higher (I tested in
3.0.11) prohibition on JavaScript code execution in refresh header. But in
Firefox 3.0.11 and Google Chrome you can't get to cookies this way, but it's
possible in old Mozilla (and in those versions of Firefox where there is
relation between data: page and original page).
Vulnerable version is Mozilla 1.7.x and previous versions.
>>> -----------------------------
>>> URL: http://websecurity.com.ua/4238/
>>> -----------------------------
>>> Affected products: Mozilla Firefox, Internet Explorer 6, Internet
>>> Explorer
>>> 8, Google Chrome, Opera.
>>> -----------------------------
>>> Timeline:
>>>
>>> 26.05.2010 - found vulnerabilities.
>>> 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
Hello Bugtraq!
I want to warn you about Denial of Service vulnerability in Google Chrome.
This vulnerability I found already at 26.12.2008. Attack belongs to type of
blocking DoS and DoS via resources consumption
(http://websecurity.com.ua/2550/).
DoS:
>>> -----------------------------
>>> URL: http://websecurity.com.ua/4206/
>>> -----------------------------
>>> Affected products: Mozilla Firefox, Internet Explorer 6, Internet
>>> Explorer
>>> 8, Google Chrome, Opera and other browsers.
>>> -----------------------------
>>> Timeline:
>>>
>>> 16.05.2010 - found vulnerability.
>>> 17.05.2010 - disclosed at my site.
> -----------------------------
> URL: http://websecurity.com.ua/4238/
> -----------------------------
> Affected products: Mozilla Firefox, Internet Explorer 6, Internet
> Explorer
> 8, Google Chrome, Opera.
> -----------------------------
> Timeline:
>
> 26.05.2010 - found vulnerabilities.
> 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
versions. And potentially next versions (IE7 and IE8).
Vulnerable version is Opera 9.52 and previous versions (and potentially next
versions too).
Vulnerable version is Google Chrome 2.0.172 and previous versions. At that
Google Chrome 1.0.154.48 is not vulnerable - it's possible that vulnerable
is only Chrome 2.x.
I mentioned about this vulnerability at my site
(http://websecurity.com.ua/3338/).
Apple
ISC
-- Affected Products:
Microsoft Internet Explorer
Google Chrome
Mikul Links
Apple Safari
ISC Lynx
-- Vulnerability Details:
Hi list,
This is a quick update regarding Google Chrome's Math.random implementation and its vulnerability. Our original results with Google Chrome 3.0 and above don't hold as-is for Google 6.0 and above due to a change introduced in the Google Chrome Math.random implementation. However, the attack algorithm can be modified to take this change into account, so the vulnerability is still in effect. As reported earlier, it is possible to read application states across domains, thus enabling for e.g. in-session phishing. This was reported to Google's security team earlier this year, which responded by stating that there is no ETA for a fix and we're free to publish our results.
For additional details, please read the full paper at:
http://www.trusteer.com/sites/default/files/Google_Chrome_6.0_and_7.0_Math.random_vulnerability.pdf
Thanks,
-Amit
Amit Klein, CTO, Trusteer
> -----------------------------
> URL: http://websecurity.com.ua/4206/
> -----------------------------
> Affected products: Mozilla Firefox, Internet Explorer 6, Internet
> Explorer
> 8, Google Chrome, Opera and other browsers.
> -----------------------------
> Timeline:
>
> 16.05.2010 - found vulnerability.
> 17.05.2010 - disclosed at my site.
versions. And potentially next versions (IE7 and IE8).
Vulnerable version is Opera 9.52 and previous versions (and potentially next
versions too).
Vulnerable version is Google Chrome 2.0.172 and previous versions. At that
Google Chrome 1.0.154.48 is not vulnerable - it's possible that vulnerable
is only Chrome 2.x.
I mentioned about this vulnerability at my site
(http://websecurity.com.ua/3338/).
Advisory: Google Chrome OnbeforeUload and OnUnload Null Check Vulnerability.
Version Affected:
Chrome/0.2.149.30
Chrome/0.2.149.29
Chrome/0.2.149.27
Description:
Google chrome is susceptible to stringent behavior while handling
"onbeforeunload"
Advisory: Google Chrome MetaCharacter URI Obfuscation Vulnerability.
Version Affected: All
Chrome/0.2.149.30
Chrome/0.2.149.29
Chrome/0.2.149.27
Description:
Google chrome is vulnerable to URI Obfuscation vulnerability. An
attacker can easily
Opera
-----------------------------
URL: http://websecurity.com.ua/4238/
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer
8, Google Chrome, Opera.
-----------------------------
Timeline:
26.05.2010 - found vulnerabilities.
26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
Google Chrome : The perfect password offering ( Tested on pair.com Webmail, might work on
others as well with Google Chrome 0.2.149.27)
Chrome stores saves passwords in CLEAR TEXT.
1 ] Goto webmail.pair.com
Pair Webmail provides https and doesn't have any option on its page to save password.
2 ] Enter your username. Enter a false (incorrect) password
Hello,,
Google Chrome Auto download exploit ..
Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security@soqor.net
Tested Successfully on Google Chrome Build 1798
considers this vulnerability to be highly exploitable.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Google
Chrome 3.0.195.38 and Safari 4.0.4. Previous versions are suspected to
be vulnerable. A full list of affected Apple products can be found in
Security Advisory APPLE-SA-2010-03-11-1 Safari 4.0.5.
V. WORKAROUND
Opera
-----------------------------
URL: http://websecurity.com.ua/4248/
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer
8, Google Chrome, Opera.
-----------------------------
Timeline:
26.05.2010 - found vulnerabilities.
26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
Version Affected:
Chrome/1.0.154.43 and previous too
Description:
The Google chrome browser is vulnerable to clickjacking flaw.A
clickjacked page tricks a user into performing
undesired actions by clicking on a concealed link. attackers can trick
users into performing actions which the
users never intended to do and there is no way of tracing such actions
later, as the user was genuinely
<!--
Google Chrome Browser (ChromeHTML://) remote parameter injection POC
by Nine:Situations:Group::bellick&strawdog
Site: http://retrogod.altervista.org/
tested against: Internet Explorer 8 beta 2, Google Chrome 1.0.154.36, Microsoft Windows XP SP3
List of command line switches:
http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc
Original url: http://retrogod.altervista.org/9sg_chrome.html
click the following link with IE while monitoring with procmon
> yes, it'd work for every browser on the planet that can execute JS) -
John, you was left almost on two years.
In September and October 2008 I made such projects as Day of bugs in Google
Chrome, Day of bugs in browsers, Day of bugs in browsers 2: reloaded (where
I released many different vulnerabilities in browsers, including DoS). And
in October 2008, for project Day of bugs in browsers 2, I released exploits
for blocking DoS with alertbox which affect many browsers ;-) (which you
mentioned in your letter). As you can found it in my post DoS in Firefox,
Internet Explorer and Google Chrome (http://websecurity.com.ua/2575/).
and earlier allows remote attackers to cause a denial of service
(application crash) via a crafted .ogg file, related to the
vorbis_floor0_decode function. (CVE-2010-4704)
Multiple buffer overflows in vorbis_dec.c in the Vorbis decoder
in FFmpeg, as used in Google Chrome before 8.0.552.237 and Chrome
OS before 8.0.552.344, allow remote attackers to cause a denial of
service (memory corruption and application crash) or possibly have
unspecified other impact via a crafted WebM file, related to buffers
for (1) the channel floor and (2) the channel residue. (CVE-2011-0480)
Hi Aditya,
> Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP
> Auth Dialog spoofing vulnerability due to possible
> realm manipulation in the HTTP header. Previously, Google chrome has got
> a similar bug which can be seen on the following link
How is this significantly different than the issues described in:
http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
To overcome this limitation and provided a real case attack scenario, we used a technique obtained from [1]. This attack attempts to increase the area of the affected input field to cover the whole screen. Once the mouse is moved anywhere on the screen, the onmouseover java script can be triggered to execute the malicious code. In this proof of concept, an alert containing the message "XSS" should be shown on the screen in case of mouse movement.
http://target/install/install1.php?language=%22%20style=a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;%20onmouseover=alert%28String.fromCharCode%2888,83,83%29%29;%3E
This attack venue exploited in this proof of concept had no effect on Google Chrome web browser, but was successfully exploited on Mozilla Firefox and others.
===== Workaround =====
Remove the installation directory after installation, as recommended during installation.
6. *Solutions and Workarounds*
On the server side, you can upgrade to a non-vulnerable version. Onthe
client you can use a browser that obeys the Content-Type header
specified by the server, such as Mozilla Firefox, Google Chrome, Apple
Safari or Opera. Internet Explorer 8 with the XSS Filter won't execute
the malicious scripts.
7. *Credits*
Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
<<Previous Next>>
|
|
|
