A Browser Bomb: A bug in the most recent version of the Chrome allows miscreants to crash
browser tabs simply by embedding a link with a malformed URL in the HTML of a
page.
The vulnerability,
dubbed "AwSnap" by web developer Jason Blatt, affects Chrome version
41 on Windows, OS X, and Chrome OS, though reports vary as to whether it exists
in Chrome on Ubuntu or other desktop Linux flavors.
The bug crashes the
browser without the user taking any direct action other than loading the
affected page. All that's needed is to insert an excessively long and/or
malformed link into the page's code, such as something like this:
<a href="http://Lorem ipsum dolor sit amet, consectetur adipiscing
elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut
enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip
ex ea commodo consequat.">Sayonara, Chrome!</a>
The exploit works
because of Chrome's habit of prefetching page data, such as performing DNS
lookups on domain names in links on a page, in a preemptive attempt to speed up
future loads. This causes the browser to try to process malformed URLs even
before the user has clicked on them, triggering the crash.
It also means you
have to load the malicious HTML over a network for the exploit to work. Loading
bad HTML from a local file:// URL won't crash the browser.
The fix is pretty
simple, simply adding a length check to the DNS lookup string, as the patch
shows:
NameList names;
...
if
(it->first.length() <= network_hints::kMaxDnsHostnameLength)
names.push_back(it->first);
kMaxDnsHostnameLength
is defined as 255: the maximum length of a DNS name is 255 octets. It appears
from looking at the Chromium source that the page rendering code sends the long
DNS name in a message to a hostname lookup component during the pre-fetch. This
component flags up an error when it checks the length of the DNS name and sees
that it exceeds kMaxDnsHostnameLength – triggering the "AwSnap"
crash. It's a case of one part of Chromium sending too much information to
another.
Beyond being a mere
annoyance, the bug is significant because it can be used to launch
denial-of-service attacks. A malicious actor who inserted a bad URL into a post
of an online forum would make the entire conversation thread inaccessible to
Chrome users, for example.
Fortunately, a patch that
fixes the bug has already been submitted and merged, so it should become a
non-issue once the Stable channel of Chrome is updated to version 42
No comments:
Post a Comment