Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Chrome Null Pointer in InspectDataSource::StartDataRequest
From: Heyder Andrade <heyder.andrade () gmail com>
Date: Thu, 14 Mar 2013 00:39:18 -0300

---| overview

Vulnerability: Chrome Null Pointer in InspectDataSource::StartDataRequest
Date: 03/14/2012
Author: @HeyderAndrade (heyder.andrade[at]gmail[dot]com)
Chrome Version: =< 21.0.1180.57 stable
Operating System Tested: Win XP SP2, WIN7, Mac OS X 10.6.8 (10K549),Linux Ubuntu 12.04
Architecture: x86 and Amd64

---| steps will reproduce this crash

1. Open the browser and visit any site that has an SSL certificate signed by a CA not trusted.
an ssl error will be showed, DON'T click "proceed anayway".
2. Open a new tab and access chrome://inspect

ps. I believe it should work with any ssl error, but i tested only  with no valid CA error.

---| original OSX Crash Report

 Process:         Google Chrome [767]
 Path:            /Applications/Google Chrome.app/Contents/MacOS/Google Chrome
 Identifier:      com.google.Chrome
 Version:         21.0.1180.57 (1180.57)
 Code Type:       X86 (Native)
 Parent Process:  launchd [158]

 Date/Time:       2012-08-08 22:53:09.442 -0300
 OS Version:      Mac OS X 10.6.8 (10K549)
 Report Version:  6

 Interval Since Last Report:          19713 sec
 Crashes Since Last Report:           1
 Per-App Interval Since Last Report:  19374 sec
 Per-App Crashes Since Last Report:   1
 Anonymous UUID:                      B5BA5F00-E166-4923-9393-E0FC63561975

 Exception Type:  EXC_BAD_ACCESS (SIGBUS)
 Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
 Crashed Thread:  0  CrBrowserMain  Dispatch queue: com.apple.main-thread

---| source code

This vulnerability lies in the function call DCHECK (line 118 of the inspect_ui.cc)
the render_process_host can be NULL.

 file:     browser/ui/webui/inspect_ui.cc
 line:     188
 function: DCHECK(render_process_host);

---| source code fix

if (!render_process_host->HasConnection())

---| timeline of disclosure

- discovery vulnerability               - Ago 08, 2012
- code.google.com report        - Aug 15, 2012
- Chromium community fix        - Oct 11, 2012
- This disclosure                               - Mar 14, 2013

---| references

https://chromiumcodereview.appspot.com/11066114/ (for some reason this issue was removed)
https://code.google.com/p/chromium/issues/detail?id=142979 (no public)

Attachment: gdb_linux.txt

Heyder Andrade
heyder.andrade () gmail com

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Chrome Null Pointer in InspectDataSource::StartDataRequest Heyder Andrade (Mar 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]