Fwd: Google Chrome Frame null domain XSS
Lostmon lords
From: Lostmon lords <los...@gmail.com>
Date: 2009/11/19
Subject: Google Chrome Frame null domain XSS
To: los...@googlegroups.com, moder...@osvdb.org,
bu...@securitytracker.com, vu...@securityfocus.com, vu...@secunia.com,
submi...@packetstormsecurity.org, ne...@securiteam.com,
xfo...@iss.net, Vu...@frsirt.com, bug...@securityfocus.com
#####################################
Google Chrome Frame null domain XSS
vendor url:http://www.google.com/chromeframe
vendor changelog:http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html
Advisore:http://lostmon.blogspot.com/
2009/11/google-chrome-frame-null-domain-xss.html
Vendor notify:yes Exploit available:YES
######################################
######################
Description by vendor
######################
Google Chrome Frame is a free plug-in for Internet Explorer.
Some advanced web apps, like Google Wave, use Google Chrome
Frame to provide you with additional features and better performance.
Google Chrome Frame is an early-stage open source
plug-in that seamlessly brings Google Chrome's open
web technologies and speedy JavaScript engine to
Internet Explorer.
################
version Afected
################
4.0.223.9 (Official Build 29618)
WebKit: 532.3
V8: 1.3.16
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.3 (KHTML, like Gecko) Chrome/4.0.223.9 Safari/532.3
Not afected version:
4.0.245.1 (Official Build 31970)
WebKit: 532.5
V8: 1.3.18.6
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.245.1 Safari/532.5
you can find aditional information here:
http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html
#####################
Cross Site scripting
#####################
Create a html document and some to test =>
<iframe src="javascript:alert(1)></iframe>
=> this opens the iframe and execute the alert
( this is correct)
<iframe src="cf:javascript:alert(1)></iframe>
this does not work , not show the alert ( correct)
and here is the flaw =>
<iframe src="cf:view-source:javascript:alert(1)></iframe>
This show & executed the alert it works on local & remote
scenario or via address bar too.
This bypassed cross-origin protections !!!
For google chrome browser test this
at the address bar =>
view-source:javascript:alert(1)
this execute the alert but recently google has made changes in
about:blank page and this issue is only exploitable
via address bar ,not in a iframe or frame or html document so for that
i think that this issue isn´t exploitable in a remote scenario.
###########
crashes
###########
cf:view-source:about@: crash
cf:about@: => crashing the tab
##########
Solution
############
Google has automatic release a new version
of Chrome Frame 4.0.245.1 (Official Build 31970)
and this version is not afected.
#################€nd#############
Thnx to estrella To be mi ligth
Thnx To icar0 & sha0 from Badchecksum
Thnx To Google security Team
atentamente:
Security Research & Analisys.
Lostmon (los...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
--
atentamente:
Lostmon (los...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....