A string could be used to crash Google Chrome

Pierluigi Paganini September 20, 2015

It seems incredible, but as already happened for Skype it is possible to crash the latest version of Google Chrome with a simple tiny URL.

The flaw was discovered last week by the expert Andris Atteka who filed also a bug report.

Recently I reported a crash bug in Google Chrome (issue #533361). This issue reminded me of the recent Skype vulnerability – both occur with simple URL strings. So how can you crash Google Chrome? By adding a NULL char in the URL string:

http://biome3d.com/%%30%30

Unfortunately no reward was awarded as this was deemed to be only a DOS vulnerability. Anyway, making secure software is much harder than finding issues in it. Thanks Google.” wrote Andris Atteka.

Experts at The Register published the image of two URLs that could be used to crash Chrome, users can kill their browser just rolling the mouse over them in a page, or launching them from another application such as an email client, or pasting them into the address bar.

Chrome crash URLS

The above URLs trigger a breakpoint rather than exploit a buffer overflow vulnerability.

The two URL works on Chrome 45.0.2454.93 on OS X El Capitan and Windows 10 and also Opera 32.0 which is based on Chromium 45 crash. The experts also noticed Chromebooks crashing by managing the URL, meanwhile Android’s Chrome seems to be immune.

The Register provided a detailed analysis of the way the URLs crash the Chrome browser.
  • The %%300 at the end of the URL is converted into %00 (0x30 is the ASCII code for ‘0’. The %%300 becomes this string of characters: the original ‘%’, the converted ‘0’, and the original ‘0’. Combined, that’s ‘%00’.) This sticks a NULL byte at the end of the web address.
  • This URL is passed to GURLToDatabaseURL() which calls ReplaceComponents().
  • This causes the URL to be processed again, hitting the NULL byte. It figures that shouldn’t be there and marks the URL as invalid.
  • The code path returns to GURLToDatabaseURL() which expects the URL to still be valid, and callsspec() on it.
  • But the URL is invalid, which is unexpected, and so the function hits a DCHECK() that causes the software to bail out – even on the release build.
  • When hovering the mouse over the URL, the web address, which is marked as invalid, is sent to another part of the browser that expects valid-only addresses – causing the tab to be blown away.

The Chromium team is currently working to fix the issue.

Pierluigi Paganini

(Security Affairs – Chrome, hacking)



you might also like

leave a comment