A string could be used to crash Google Chrome

It seems incredible, but as already happened for Skype it is possible to crash the latest version of Google Chrome with a simple tiny URL.

The flaw was discovered last week by the expert Andris Atteka who filed also a bug report.

“Recently I reported a crash bug in Google Chrome (issue #533361). This issue reminded me of the recent Skype vulnerability – both occur with simple URL strings. So how can you crash Google Chrome? By adding a NULL char in the URL string:

http://biome3d.com/%%30%30

Unfortunately no reward was awarded as this was deemed to be only a DOS vulnerability. Anyway, making secure software is much harder than finding issues in it. Thanks Google.” wrote Andris Atteka.

Experts at The Register published the image of two URLs that could be used to crash Chrome, users can kill their browser just rolling the mouse over them in a page, or launching them from another application such as an email client, or pasting them into the address bar.

The above URLs trigger a breakpoint rather than exploit a buffer overflow vulnerability.

The two URL works on Chrome 45.0.2454.93 on OS X El Capitan and Windows 10 and also Opera 32.0 which is based on Chromium 45 crash. The experts also noticed Chromebooks crashing by managing the URL, meanwhile Android’s Chrome seems to be immune.

The Register provided a detailed analysis of the way the URLs crash the Chrome browser.

The %%300 at the end of the URL is converted into %00 (0x30 is the ASCII code for ‘0’. The %%300 becomes this string of characters: the original ‘%’, the converted ‘0’, and the original ‘0’. Combined, that’s ‘%00’.) This sticks a NULL byte at the end of the web address.
This URL is passed to GURLToDatabaseURL() which calls ReplaceComponents().
This causes the URL to be processed again, hitting the NULL byte. It figures that shouldn’t be there and marks the URL as invalid.
The code path returns to GURLToDatabaseURL() which expects the URL to still be valid, and callsspec() on it.
But the URL is invalid, which is unexpected, and so the function hits a DCHECK() that causes the software to bail out – even on the release build.
When hovering the mouse over the URL, the web address, which is marked as invalid, is sent to another part of the browser that expects valid-only addresses – causing the tab to be blown away.

The Chromium team is currently working to fix the issue.

Pierluigi Paganini

(Security Affairs – Chrome, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.