Google Chrome < 14.0.835.163 PDF File Handling Memory Corruption

—————-Security Adisory—————-

Title: Google Chrome < 14.0.835.163 PDF File Handling Memory Corruption Vulnerability (CVE-2011-2841) Sec-Security: Hich CVE-Number: CVE-2011-2841 Date of discovery: 04/06/2011(MM/DD/YYYY) Fix date: 06/28/2011(MM/DD/YYYY) Fixed Version: Google Chrome >= 14.0.835.163
Discovered by: Mario Gomes

—————-Summary—————-

Google Chrome is a web browser developed by Google that uses the WebKit layout engine.
It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008.
The name is derived from the graphical user interface frame, or “chrome”, of web browsers.
As of August 2011, Chrome is the third most widely used browser with 23.16% worldwide usage share of web browsers, according to StatCounter.(From Wikipedia)

—————-Description—————-

Google Chrome suffers from a memory corruption vulnerability that occurs in the manipulation of PDF files.
The failure occurs when the browser opens an HTML file that contains multiple tag pointing to a PDF file.<br /> So it is a memory corruption flaw allows code to run within the sandbox.</p> <p>—————-Stacktrace—————-</p> <p>This stracktrace shows a clear memory corruption, because I do not have the symbols of Google’s PDF viewer can not give more details.</p> <p>(648.41c): Access violation – code c0000005 (first chance)<br /> First chance exceptions are reported before any exception handling.<br /> This exception may be expected and handled.<br /> eax=049c4000 ebx=0000efee ecx=049bc7a0 edx=841d63b9 esi=00000000 edi=049bf000<br /> eip=6f3f9332 esp=002feaa0 ebp=002feac4 iopl=0 nv up ei pl nz na pe nc<br /> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206<br /> *** ERROR: Symbol file could not be found. Defaulted to export symbols for D:\Users\Cassio\AppData\Local\Google\Chrome\Application\12.0.742.91\pdf.dll –<br /> pdf!PPP_GetInterface+0x17be62:<br /> 6f3f9332 8b08 mov ecx,dword ptr [eax] ds:0023:049c4000=????????<br /> Stacktrace:<br /> pdf!PPP_GetInterface+0x17be62<br /> pdf!PPP_GetInterface+0x17430f<br /> pdf!PPP_GetInterface+0x172fe1<br /> pdf!PPP_GetInterface+0x28d40<br /> pdf!PPP_GetInterface+0x11db6<br /> pdf!GetPDFDocInfo+0x1944f<br /> pdf!GetPDFDocInfo+0x18cce<br /> pdf!GetPDFDocInfo+0x1868c<br /> pdf!GetPDFDocInfo+0x85ae<br /> pdf!GetPDFDocInfo+0x4432<br /> pdf+0x64d0<br /> pdf!GetPDFDocInfo+0x6f42<br /> pdf!GetPDFDocInfo+0x6d0e<br /> pdf!GetPDFDocInfo+0x49e0<br /> pdf!GetPDFDocInfo+0x37be<br /> pdf!GetPDFDocInfo+0x3792<br /> pdf!GetPDFDocInfo+0x3db1<br /> chrome_63700000!WebCore::DocumentLoader::finishedLoading+0x31<br /> chrome_63700000!WebCore::FrameLoader::finishedLoading+0x26<br /> chrome_63700000!WebCore::MainResourceLoader::didFinishLoading+0x5c<br /> chrome_63700000!WebCore::ResourceLoader::didFinishLoading+0xe<br /> chrome_63700000!WebCore::ResourceHandleInternal::didFinishLoading+0x35<br /> chrome_63700000!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest+0x10c<br /> chrome_63700000!ResourceDispatcher::OnRequestComplete+0x43<br /> chrome_63700000!IPC::MessageWithTuple<Tuple4<int,net::URLRequestStatus,std::basic_string<char,std::char_traits<char>,std::alloc+0x4d<br /> chrome_63700000!ResourceDispatcher::DispatchMessageW+0x4f<br /> chrome_63700000!ResourceDispatcher::OnMessageReceived+0xbb<br /> chrome_63700000!ChildThread::OnMessageReceived+0x1b<br /> chrome_63700000!RunnableMethod<notifier::MediatorThreadImpl::Core,void (__thiscall notifier::MediatorThreadImpl::Core::*)(std::+0x17 chrome_63700000!MessageLoop::RunTask+0x7d chrome_63700000!MessageLoop::DeferOrRunPendingTask+0x28 chrome_63700000!MessageLoop::DoWork+0x71 chrome_63700000!base::MessagePumpDefault::Run+0xc2 chrome_63700000!MessageLoop::RunInternal+0x31 chrome_63700000!MessageLoop::RunHandler+0x17 chrome_63700000!MessageLoop::Run+0x15 chrome_63700000!RendererMain+0x309 chrome_63700000!ChromeMain+0x653 chrome!MainDllLoader::Launch+0xf0 chrome!wWinMain+0xef chrome!__tmainCRTStartup+0x112 kernel32!BaseThreadInitThunk+0xe ntdll!__RtlUserThreadStart+0x70 ntdll!_RtlUserThreadStart+0x1b ----------------Tested On---------------- Microsoft Windows XP Professional Service Pack 3 (Brazilian Portuguese) ----------------Proof-of-concept---------------- Poc in HTML File: http://pastebin.com/DBUGWbQM The PDF file needed can be found here: http://www.irs.gov/pub/irs-pdf/fw4.pdf Download both files here: http://www.exploit-db.com/sploits/17929.zip ----------------Steps to Reproduce---------------- 1. Create the file poc.html with this code http://pastebin.com/DBUGWbQM 2. Download the PDF file here and save in same folder 3. Open the poc.html with fw4.pdf in same folder. ----------------Vulnerability Timeline(MM/DD/YYYY)---------------- [04/06/2011] Vulnerability is discovered and sent to the vendor. [04/06/2011] The Google security team confirm the vulnerability and updates the status. [06/13/2011] More information about the vulnerability is sent. [07/28/2011] Vulnerability is fixed and the vendor announces the launch of the patch is version 14. [09/16/2011] The vendor released version 14 with the flaw fixed. [10/03/2011] Coordinated public security advisory released. ----------------References---------------- Google Release Notes Post(http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html) CVE Number(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2841) Chromium Bug Tracker Bug Id(http://code.google.com/p/chromium/issues/detail?id=78639) Vulnerability Blog Post(http://net-fuzzer.blogspot.com/2011/10/google-chrome-140835163-pdf-file.html) ----------------Vulnerability Credits---------------- Mario Gomes Security Researcher and Pen-tester, Goiania - GO, Brazil Blog http://net-fuzzer.blogspot.com Contact netfuzzer@hotmail.com ----------------End of Advisory---------------- </p> </div> <div id="nav-below"> <div class="nav-previous"><a href="http://zerobox.org/bug/4201.html" rel="prev"><span class="meta-nav">←</span> Linux kernel-2.6.18-6 x86 Local Root Exploit</a></div> <div class="nav-next"><a href="http://zerobox.org/bug/4203.html" rel="next">Linux Kernel 2.6.22 Local root Exploit <span class="meta-nav">→</span></a></div> </div> <div id="nav-below"> <center> <TABLE id="dd" width=950 style="font-size:13px; background:#fffff;font-weight:normal; font-family:Verdana, Arial, Helvetica, sans-serif; color:C8C8C8;" cellPadding=0 cellspacing=0 border=0> <TR><td colspan=2> <script id="_wau9ev">var _wau = _wau || []; _wau.push(["map", "ct3o2jnykl9l", "9ev", "420", "210", "neosat", "default-red"]); (function() {var s=document.createElement("script"); s.async=true; s.src="http://widgets.amung.us/map.js"; document.getElementsByTagName("head")[0].appendChild(s); })();</script> </td> </tr> </table> </center> </div> <div id="nav-below"> <center><TABLE id="dd" width=950 style="font-size:13px; background:#fffff;font-weight:normal; font-family:Verdana, Arial, Helvetica, sans-serif; color:C8C8C8;" cellPadding=0 cellspacing=0 border=0> <TR><td colspan=2> <script type="text/javascript"> </script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script> <script type="text/javascript"> /*468*60，创建于2011-8-7*/ var cpro_id = "u567353"; </script> <script src="http://cpro.baidustatic.com/cpro/ui/c.js" type="text/javascript"></script> </td> </tr> </table></center> </div>  </div>  <div id="comments-div"><span id="comments-addcomment"><a href="#respond" rel="nofollow" title="发表评论？">发表评论？</a></span><h2 id="comments">0 条评论。</h2></div> <script type="text/javascript"> /* <![CDATA[ */ function grin(tag) { var myField; tag = ' ' + tag + ' '; if (document.getElementById('comment') && document.getElementById('comment').type == 'textarea') { myField = document.getElementById('comment'); } else { return false; } if (document.selection) { myField.focus(); sel = document.selection.createRange(); sel.text = tag; myField.focus(); } else if (myField.selectionStart || myField.selectionStart == '0') { var startPos = myField.selectionStart; var endPos = myField.selectionEnd; var cursorPos = endPos; myField.value = myField.value.substring(0, startPos) + tag + myField.value.substring(endPos, myField.value.length); cursorPos += tag.length; myField.focus(); myField.selectionStart = cursorPos; myField.selectionEnd = cursorPos; } else { myField.value += tag; myField.focus(); } } /* ]]> */ </script> <div id="respond" class="comment-respond"> <h3 id="reply-title" class="comment-reply-title">发表评论</h3><p class="must-log-in">要发表评论，您必须先<a href="http://zerobox.org/bug/wp-login.php?redirect_to=http%3A%2F%2Fzerobox.org%2Fbug%2F4202.html">登录</a>。</p> </div> </div> </div> <div class="clear"></div> <div id="footer"> <div id="footer-inside"> <p> Copyright © Since 2009 ZeroBox Vulnerability DatabaseAll rights reserved</br> Powered by <a href="http://wordpress.org/" target="_blank">WordPress</a> | Theme <a href="http://zww.me" title="designed by zwwooooo" target="_blank">zBench</a> </p> <span id="back-to-top">↑ <a href="#" rel="nofollow" title="Back to top">回到顶部</a></span> </div> </div> <script type='text/javascript' id='wp-postviews-cache-js-extra'> /* <![CDATA[ */ var viewsCacheL10n = {"admin_ajax_url":"http:\/\/zerobox.org\/bug\/wp-admin\/admin-ajax.php","post_id":"4202"}; /* ]]> */ </script> <script type='text/javascript' src='http://zerobox.org/bug/wp-content/plugins/wp-postviews/postviews-cache.js?ver=1.68' id='wp-postviews-cache-js'></script> </body> </html>

ZeroBox Vulnerability Database

坚持！我们将做的更好！

Google Chrome < 14.0.835.163 PDF File Handling Memory Corruption