Advisory : Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.

To: bugtraq@xxxxxxxxxxxxxxxxx, websecurity@xxxxxxxxxxxxx
Subject: Advisory : Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.
From: Aditya K Sood <0kn0ck@xxxxxxxxxxxx>
Date: Wed, 24 Sep 2008 09:32:55 +0530
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 2.0.0.16 (Windows/20080708)


*Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.*

*Version Affected:*
Chrome/0.2.149.30
Chrome/0.2.149.29

*Severity:*
High

*Description:*

The Google chrome browser is vulnerable to memory exhaustion baseddenial ofservice which can be triggered remotely.The vulnerability triggers whenCarriageReturn(\r\n\r\n) is passed as an argument to window.open() function. Itmakes theGoogle Chrome to generate number of windows at the same time therebyleadingto memory exhaustion. The behavior can be easily checked by looking atthe taskmanager as with no time the memory usage rises high. The problem lies inthe handlingof object and its value returned by the javascript function. Once it istriggered the popups are started generating. The Google Chrome browser generate objectwindows continuouslythere by affecting memory of the resultant system. Probably it can becrashed within no time.

User interaction is required in this.

*Proof of Concept*
http://www.secniche.org/gds

*Links:*
http://secniche.org/gcrds.html
http://evilfingers.com/advisory/Google_Chrome_Carriage_Return_Null_Object_Memory_Exhaustion_Remote_Dos.php

*Detection:*
SecNiche confirmed this vulnerability affects Google Chrome on Microsoft
Windows XP SP2 platform.The versions tested are:

Chrome/0.2.149.30
Chrome/0.2.149.291

*Disclosure Timeline:*
Disclosed: 22 September 2008
Release Date. September 24 ,2008

*Vendor Response:*
Google acknowledges this vulnerability and "fix" will be released soon.

*Credit:*
Aditya K Sood

*Disclaimer*

The information in the advisory is believed to be accurate at the timeof publishing based oncurrently available information. Use of the information constitutesacceptance for use in anAS IS condition. There is no representation or warranties, eitherexpress or implied by or withrespect to anything in this document, and shall not be liable for a nyimplied warranties ofmerchantability or fitness for a particular purpose or for any indirectspecial or consequential

damages.

Follow-Ups:
- Re: Advisory : Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.
  - From: LIUDIEYU dot COM

Prev by Date: [ GLSA 200809-15 ] GNU ed: User-assisted execution of arbitrary code
Next by Date: [USN-645-1] Firefox and xulrunner vulnerabilities
Previous by thread: [ GLSA 200809-15 ] GNU ed: User-assisted execution of arbitrary code
Next by thread: Re: Advisory : Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.
Index(es):
- Date
- Thread